Anti-Virus Effectiveness Down from Last Year 201
juct sends us Heise Security's summary of an article detailing the abilities of 17 current anti-virus solutions. German computer magazine c't has found that, compared to last year, the virus scanners are having a more difficult time recognizing malware. Quoting Heise:
"For real protection, however, in view of the flood of new malware, the way these programs cope with new and completely unfamiliar attacks is more important. And that's where almost all of the products performed significantly worse than just a year ago. The typical recognition rates of their heuristics fell from approximately 40-50 per cent in the last test - at the beginning of 2007 - to a pitiful 20-30 per cent."
smitFraud (Score:5, Interesting)
I've had a lot of people bring me infected PC's with smitFraud, that the big AV's have not even recognised or been able to properly remove, they have been pretty angry that the $90 or so they paid for a complete Internet Security product was not able to protect them.
It causes windows to pretty much choak and die as it just consumes so many resources and provides so much irritation, but major products like Trend or Symantec have not been able to successfully protect or remove them, I have had to use custom written tools that you get off the net for free. They really dropped the ball with that one.
Just dont do it... (Score:4, Interesting)
The glass is half-empty? (Score:1, Interesting)
User awareness is key (Score:1, Interesting)
Personally, I don't use an anti-virus product (at least, I don't have one running continously, bogging the system down). My protection mechanism is to simply not run programs I don't trust and also have the latest updates installed. In the rare event that I do need to run an untrusted executable, I run a manual scan on it.
After giving up the temptation to run these rubbish programs, I haven't been infected by a virus in years.
Re:smitFraud (Score:4, Interesting)
I usually tell customers this, and tell them they have two choices:
1 we can try smittfraud fix and who knows, it might be lucky, but if they have to bring it back in a month we will charge them again.
2 we can backup all their data, format, reinstall and remove any executable files from their backup.
The second always works, have never had a re-infection (well, have, but that is usually thanks to someone surfing porn regularly, proven to the customer by showing them the browse history) with it.
Best protection for it, firefox + no-script, which I tell the customer and offer to install for no extra cost of course
Only problem is, my boss kinda hates me, we don't get the same people bringing their machines in every 2 months anymore needing a software clean done
Re:yeah, but.. (Score:5, Interesting)
Pro Linux, as I am, I still do not feel that we can afford to be complacent about the malware issue. The reason that Linux is largely unaffected is that it is not very widely used, especially by the sort of numpties that get tempted by exciting new screensavers baring trojans.
If/when we succeed in bringing Linux to the masses, this layer of protection will be torn away. I hope and believe that Linux is more secure by design and the same is probably true of many of the apps that are popular in Linux distros - you won't find ActiveX cheerfully opeing the door to anyone. However nobody should be ignoring malware with the excuse that Linux is immune.
Re:after the ffact (Score:3, Interesting)
There's this not-too-recent development in Antivirus programs where they actually scan executables before and as you execute them, preventing the infection.
Of course it's not perfect, but it's probably the reason most people have virus scanners. Once a system is infected it's useless to most users who will simply bring it into a shop or trash it because "it's too slow", and even many experienced users would simply give up a reinstall Windows at that point.
There are just too many false positives (Score:3, Interesting)
Sure, it is partly because of the inane copy protection, but AVG should make some tests before issuing such a crap.
Luckily the 'infected exe' is recoverable, and after disabling the resident shield it will run. But then, why do you have AV in the first place?
Re:Heuristics in "easily defeated" shock (Score:1, Interesting)
Using the internet is like sex. The only way to completely avoid viruses is abstinence. It is almost always safe if you do it with somebody you know to be safe like a spouse. If you are dealing with the unknown or unreliable, protection is your best bet. While AV software isn't as reliable as a condom (which isn't 100% reliable) it is better then nothing.
Re:My expectations are not that high... (Score:3, Interesting)
I work for an AV company. Our focus lies on "local threats". Not necessarily the local scriptkiddy community, more the phishing and ID fraud thing.
For about a year now, those things have been "localized". I'm not joking when I say that, depending on the country you're in, you get different versions of a certain trojan, targeting exactly YOUR banks, YOUR finance services, YOUR online stores. They actually go to the lengths of recreating the local bank pages down to the links. And then this malware is spread very, very well targeted on your country or state, or even only your county. They noticed that AV vendors do actually work together and something that spreads globally is easily detected within a second, not an hour later every AV vendor has a signature update that finds it.
With a very narrowly targeted release, you can stay "under the radar" and go undetected by most AV vendors who don't have any information gathering tools in that local area.
In short, don't buy the "best" AV tool. If there is one local company, buy theirs! They have the highest chance to find the local threats fastest, while still getting the global threats. Local threats, though, are the (IMO) more serious ones, not only making you a spam box or trashing your system, but they steal your ID, loot your account and destroy your credit rating!
Now, in turn I also get a fair deal of machines on my desk that have been affected by those ID problems (take a wild guess who's interested in finding out what's cooking). Most of those machines were not protected at all (or by Windows Defender, which is no protection. No MS bashing, but it can't be when you think about it), some were protected by global players in the AV field (most of them by a certain company with a capital N in their name), but none by local companies that DID actually find the threat.
You can test it yourself. Should you happen to get one of those targeted malware, send it to virustotal and look for yourself. Local companies will find it. Larger companies will find it much later, or not at all, because the spread is so tiny (thus the perceived threat so small) that it doesn't matter to them.
AV software causes more problems then it solves (Score:3, Interesting)
This isn't the biggest problem though. AV software is actively harmful. Aside from dramatically slowing down EVERYTHING, it can flat out break stuff. Norton in particular is notorious for screwing things up, to the point that if someone asks me about a problem with their computer now, my first answer is always "uninstall Norton."
Running the gambit from games being intolerably slow to programs crashing to drivers inexplicably failing to install (even after turning Norton off), to date "uninstall Norton" has never failed to fix the problem.
(Really, Norton and the virus makers themselves aren't much different, in that both of them prey on the computer illiterate.)
Re:AV software causes more problems then it solves (Score:3, Interesting)
It's a bit like saying webcams crash your system because you had one from Logitec (whose driver actually does just that). Or like saying OSs suck because you've seen what Vista is like.
There are decent AV companies about who do take care that the footprint they leave in the system is small, and that their drivers (which have to be quite invasive, unfortunately) don't ruin the system they're supposed to protect. Please don't judge the whole industry by one single experience.
Why the drugs don't work anymore (Score:4, Interesting)
The malware-antimalware war ain't a static one. Both sides are engaging in a quite impressive arms race. They start creating morphing trojans, we create ways to detect them, they create global trojan floods, we employ detection networks to catch them, they switch from mail distribution to infected webpages, we start sending out spiders, they start using targeted spam, we create fake personalities to be "interesting" for them, they
It's just the same with the detection and elimination routines. They use certain API calls, we start listening to those calls carefully, they switch the calls, we follow, they start using executable packers, we develop exec unpackers, we discover that malware PE headers have a certain format, they change the format and create "filler" sections to look normal...
It's just a chapter in that arms race. Give us 2 months and we're back on par.
Skewed (Score:2, Interesting)
Re:where are all the Linux server exploits .. (Score:5, Interesting)
On my defualt, fully security patched Mandriva workstation:
- I have full read write execute permission to my home directory.
- I can run wget to download anything, and put it as an executable anywhere in my home directory.
- I can use perl, awk, whois, grep, sed, whatever, to craft some pretty nasty scripts.
- I can use telnet and I could write an expect script to send spam with telnet.
- Or, I could just download a precrafted elf binary to run as a mini-mail server in my home directory.
- It's not to hard to imagine that I could pop something in
- I could fire off a fork bomb that will crash the system instantly.
I does not take to much imagination to figure out some suitably bad stuff that you could do as any old user.
Of course, hiding yourself on the system and ensuring your survival could be difficult. It would be easy to find all the nasty services running as said user, since top, ps, etc.. would not have been compromised.
AV Comparitives (Score:2, Interesting)
Malware is an arms race, and the comments about AV software being useless are bull. It just isn't a panacea either. Schneier says security is a trade-off. Average users don't want to be inconvenienced by things like applying the principle of least privilege. Personally I use SudoWn and Runasspc with my XP Pro system when I need to elevate something to admin, and a combination of Avira/Spybot-SD and Firefox with NoScript. That's the software side. The most important thing I do for my security is to mistrust everything by default. I don't install stuff that's likely to be infected. Even if I think something is safe, I scan it manually before I run it with admin privs. I've been virus/malware free since I put this system together back in March of this year, and I've probably installed nearly 100 applications in that time.
PS: The later versions don't seem to work for me, but version 2.0 of SudoWn does, and it requires
Hopefully this is helpful to at least one person.