Anti-Virus Effectiveness Down from Last Year

juct sends us Heise Security's summary of an article detailing the abilities of 17 current anti-virus solutions. German computer magazine c't has found that, compared to last year, the virus scanners are having a more difficult time recognizing malware. Quoting Heise: "For real protection, however, in view of the flood of new malware, the way these programs cope with new and completely unfamiliar attacks is more important. And that's where almost all of the products performed significantly worse than just a year ago. The typical recognition rates of their heuristics fell from approximately 40-50 per cent in the last test - at the beginning of 2007 - to a pitiful 20-30 per cent."

smitFraud

[Freaky Spook]

I've had a lot of people bring me infected PC's with smitFraud, that the big AV's have not even recognised or been able to properly remove, they have been pretty angry that the $90 or so they paid for a complete Internet Security product was not able to protect them.

It causes windows to pretty much choak and die as it just consumes so many resources and provides so much irritation, but major products like Trend or Symantec have not been able to successfully protect or remove them, I have had to use custom written tools that you get off the net for free. They really dropped the ball with that one.

Just dont do it...

[Dishevel]

Just don't have AV's installed at all. Not having AV installed on my system keeps me from even thinking of trying anything stupid. every month or so I download a free trial of a Non Norton / Non Mcaffee AV program, update it and run a full scan. Then I do the same with a different one. Then I repeat with Spyware/malware programs. All that has ever been found is a few cookies. Safety through not doing stupid shit.

The glass is half-empty?

[Anonymous Coward]

An optimist would say that virus effectiveness has gone up.

User awareness is key

[Anonymous Coward]

The main reason for virus infections, as far as I can see, is because of people simply executing untrusted programs: downloading rubbish toolbars, screen savers and opening e-mail attachments which say "Pam Anderson Naked.exe". I think more "sophisticated" means of infection, such as buffer-overflows or browser bugs are relatively less prevalent than the simple act of directly executing a trojan program and infecting yourself (not that I have statistics to back me up).

Personally, I don't use an anti-virus product (at least, I don't have one running continously, bogging the system down). My protection mechanism is to simply not run programs I don't trust and also have the latest updates installed. In the rare event that I do need to run an untrusted executable, I run a manual scan on it.

After giving up the temptation to run these rubbish programs, I haven't been infected by a virus in years.

Re:smitFraud

[Barny]

Been getting this one a lot, the fix is usually fine for older varients but new versions and revisions spring up that it just seems to miss. The system seems clean at first, but usually about a month later it is all back.

I usually tell customers this, and tell them they have two choices:
1 we can try smittfraud fix and who knows, it might be lucky, but if they have to bring it back in a month we will charge them again.
2 we can backup all their data, format, reinstall and remove any executable files from their backup.

The second always works, have never had a re-infection (well, have, but that is usually thanks to someone surfing porn regularly, proven to the customer by showing them the browse history) with it.

Best protection for it, firefox + no-script, which I tell the customer and offer to install for no extra cost of course :)

Only problem is, my boss kinda hates me, we don't get the same people bringing their machines in every 2 months anymore needing a software clean done :P

Re:yeah, but..

[allcar]

You make an excellent point.
Pro Linux, as I am, I still do not feel that we can afford to be complacent about the malware issue. The reason that Linux is largely unaffected is that it is not very widely used, especially by the sort of numpties that get tempted by exciting new screensavers baring trojans.
If/when we succeed in bringing Linux to the masses, this layer of protection will be torn away. I hope and believe that Linux is more secure by design and the same is probably true of many of the apps that are popular in Linux distros - you won't find ActiveX cheerfully opeing the door to anyone. However nobody should be ignoring malware with the excuse that Linux is immune.

Re:after the ffact

[Suddenly_Dead]

I think the real problem with malware is that by the time an antivirus/antispyware program is needed IT IS TOO LATE. you have already been infected, antivirus software is for after the fact, cleaning up the files that were installed or warning you of their presence in a file atatchment etc

There's this not-too-recent development in Antivirus programs where they actually scan executables before and as you execute them, preventing the infection.

Of course it's not perfect, but it's probably the reason most people have virus scanners. Once a system is infected it's useless to most users who will simply bring it into a shop or trash it because "it's too slow", and even many experienced users would simply give up a reinstall Windows at that point.

There are just too many false positives

[someone1234]

AVG for example shows nwn2main.exe (Neverwinter Nights 2 from Obsidian) as false positive.
Sure, it is partly because of the inane copy protection, but AVG should make some tests before issuing such a crap.

Luckily the 'infected exe' is recoverable, and after disabling the resident shield it will run. But then, why do you have AV in the first place?

Re:Heuristics in "easily defeated" shock

[kongit]

I wouldn't say it is pointless. However, overusing an AV is pointless. Scanning a file every time it is accessed is pointless, as it should of been checked before it was allowed permanently on the machine. If that file has not been modified since the last AV check it should not be scanned. Additionally scanning files you create is rather pointless because if you are putting a virus in your files either a) you know what you are doing or b) you have another virus or trojan somewhere else putting that virus in your file so any action on the created file would not fix the problem. There are many viruses out in the wild and most AV software can check for many of them. Not only are new viruses a threat but older ones can still cause large problems. So AV software does have a place in modern computing, but many developers of AV software make it do more then it needs to and use way too much overhead and time to do it.

Using the internet is like sex. The only way to completely avoid viruses is abstinence. It is almost always safe if you do it with somebody you know to be safe like a spouse. If you are dealing with the unknown or unreliable, protection is your best bet. While AV software isn't as reliable as a condom (which isn't 100% reliable) it is better then nothing.

Re:My expectations are not that high...

[Opportunist]

That's maybe the most insightful I've read in this thread so far.

I work for an AV company. Our focus lies on "local threats". Not necessarily the local scriptkiddy community, more the phishing and ID fraud thing.

For about a year now, those things have been "localized". I'm not joking when I say that, depending on the country you're in, you get different versions of a certain trojan, targeting exactly YOUR banks, YOUR finance services, YOUR online stores. They actually go to the lengths of recreating the local bank pages down to the links. And then this malware is spread very, very well targeted on your country or state, or even only your county. They noticed that AV vendors do actually work together and something that spreads globally is easily detected within a second, not an hour later every AV vendor has a signature update that finds it.

With a very narrowly targeted release, you can stay "under the radar" and go undetected by most AV vendors who don't have any information gathering tools in that local area.

In short, don't buy the "best" AV tool. If there is one local company, buy theirs! They have the highest chance to find the local threats fastest, while still getting the global threats. Local threats, though, are the (IMO) more serious ones, not only making you a spam box or trashing your system, but they steal your ID, loot your account and destroy your credit rating!

Now, in turn I also get a fair deal of machines on my desk that have been affected by those ID problems (take a wild guess who's interested in finding out what's cooking). Most of those machines were not protected at all (or by Windows Defender, which is no protection. No MS bashing, but it can't be when you think about it), some were protected by global players in the AV field (most of them by a certain company with a capital N in their name), but none by local companies that DID actually find the threat.

You can test it yourself. Should you happen to get one of those targeted malware, send it to virustotal and look for yourself. Local companies will find it. Larger companies will find it much later, or not at all, because the spread is so tiny (thus the perceived threat so small) that it doesn't matter to them.

AV software causes more problems then it solves

[Tridus]

I've known that AV software doesn't work very well for quite a while. Its really nothing new. It is nice to have someone doing tests that I can shove in peoples faces, though.

This isn't the biggest problem though. AV software is actively harmful. Aside from dramatically slowing down EVERYTHING, it can flat out break stuff. Norton in particular is notorious for screwing things up, to the point that if someone asks me about a problem with their computer now, my first answer is always "uninstall Norton."

Running the gambit from games being intolerably slow to programs crashing to drivers inexplicably failing to install (even after turning Norton off), to date "uninstall Norton" has never failed to fix the problem.

(Really, Norton and the virus makers themselves aren't much different, in that both of them prey on the computer illiterate.)

Re:AV software causes more problems then it solves

[Opportunist]

You judge the AV industry by your experience with Norton. That's like saying cars are crap because you didn't like that old Lada you got.

It's a bit like saying webcams crash your system because you had one from Logitec (whose driver actually does just that). Or like saying OSs suck because you've seen what Vista is like.

There are decent AV companies about who do take care that the footprint they leave in the system is small, and that their drivers (which have to be quite invasive, unfortunately) don't ruin the system they're supposed to protect. Please don't judge the whole industry by one single experience.

Why the drugs don't work anymore

[Opportunist]

It was prone to happen. Actually I'm amazed it's considered news.

The malware-antimalware war ain't a static one. Both sides are engaging in a quite impressive arms race. They start creating morphing trojans, we create ways to detect them, they create global trojan floods, we employ detection networks to catch them, they switch from mail distribution to infected webpages, we start sending out spiders, they start using targeted spam, we create fake personalities to be "interesting" for them, they ...

It's just the same with the detection and elimination routines. They use certain API calls, we start listening to those calls carefully, they switch the calls, we follow, they start using executable packers, we develop exec unpackers, we discover that malware PE headers have a certain format, they change the format and create "filler" sections to look normal...

It's just a chapter in that arms race. Give us 2 months and we're back on par.

Skewed

[raijinsetsu]

I don't think that it's the effectiveness of the heuristics that has decreased. It's probably the virus and malware programmers have gotten craftier: studying how these algorithms work and countering them. It's one of the reasons why I stay away from the mainstream AVs.

Re:where are all the Linux server exploits ..

[GreggBz]

A user compromise on a Linux system would provide suitable functionality for today's typical malware.

On my defualt, fully security patched Mandriva workstation:

- I have full read write execute permission to my home directory.
- I can run wget to download anything, and put it as an executable anywhere in my home directory.
- I can use perl, awk, whois, grep, sed, whatever, to craft some pretty nasty scripts.
- I can use telnet and I could write an expect script to send spam with telnet.
- Or, I could just download a precrafted elf binary to run as a mini-mail server in my home directory.
- It's not to hard to imagine that I could pop something in /tmp or elsewhere that would persist on the system even after the user had been deleted.
- I could fire off a fork bomb that will crash the system instantly.

I does not take to much imagination to figure out some suitably bad stuff that you could do as any old user.

Of course, hiding yourself on the system and ensuring your survival could be difficult. It would be easy to find all the nasty services running as said user, since top, ps, etc.. would not have been compromised.

AV Comparitives

[sh33333p]

Since this article is about a print article in German, you may want to check out the site http://www.av-comparatives.org/ [av-comparatives.org]

Malware is an arms race, and the comments about AV software being useless are bull. It just isn't a panacea either. Schneier says security is a trade-off. Average users don't want to be inconvenienced by things like applying the principle of least privilege. Personally I use SudoWn and Runasspc with my XP Pro system when I need to elevate something to admin, and a combination of Avira/Spybot-SD and Firefox with NoScript. That's the software side. The most important thing I do for my security is to mistrust everything by default. I don't install stuff that's likely to be infected. Even if I think something is safe, I scan it manually before I run it with admin privs. I've been virus/malware free since I put this system together back in March of this year, and I've probably installed nearly 100 applications in that time.

PS: The later versions don't seem to work for me, but version 2.0 of SudoWn does, and it requires .Net 2.0.
Hopefully this is helpful to at least one person.