Antivirus Software Performs Poorly Against New Threats 183
Hugh Pickens writes "Nicole Perlroth reports in the NY Times that the antivirus industry has a dirty little secret: antivirus products are not very good at stopping new viruses. Researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab and found that the initial detection rate was less than 5 percent (PDF). 'The bad guys are always trying to be a step ahead,' says Matthew D. Howard, who previously set up the security strategy at Cisco Systems. 'And it doesn't take a lot to be a step ahead.' Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its 'signature' — unique signs in its code — before they can write a program that removes it. That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years. 'The traditional signature-based method of detecting malware is not keeping up,' says Phil Hochmuth. Now the thinking goes that if it is no longer possible to block everything that is bad, then the security companies of the future will be the ones whose software can spot unusual behavior and clean up systems once they have been breached. 'The bad guys are getting worse,' says Howard. 'Antivirus helps filter down the problem, but the next big security company will be the one that offers a comprehensive solution.'"
Re:so its like the human immune system? (Score:5, Informative)
Virus authors, on the other hand, can use virustotal.com to see who can detect their stuff and evolve as necessary to avoid detection.
Virus writers make their viruses evolve? Creationism, anyone? Computer viruses don't evolve, they are engineered/programmed. And viruses that attack animals (including humans) don't have to evolve features necessary to bind to our receptor sites, those features have already evolved. What they do is mutate so that the animal's immune system doesn't recognize it as a threat.
The animal immune system is nothing whatever like computer antivirus, and animal viruses are nothing like computer viruses. You guys are anthropomorphising WAY too much here.
Re:so its like the human immune system? (Score:5, Informative)
Virus writers make their viruses evolve?
In a sense, yes. Viruses have been created which "evolve" by changing their code around in order to prevent signature based detection. Viruses that do that are referred to as polymorphic [wikipedia.org] viruses.
Polymorphic viruses are doing basically the same thing as a biological species that evolves into a different coloring that helps it hide from predators. The ones that don't evolve better camouflage get eaten by predators/cleaned by virus scanners. The ones that do evolve better camouflage spread.
Re:So... (Score:3, Informative)
This is exactly what Apple has done with gatekeeper in their current OSX. Users can choose 3 levels of software protection. The strictest is only to run software from the Apple store which all has a code signature key. After that level comes a restriction to run only software from trusted developers that have been issued a signature key by Apple. The final level is no restriction at all, were all software including Trojans and viruses are allowed. The default is the middle level. All iDevices from Apple are restricted to the highest level, namely only software from the Apple Store is allowed. This is a restriction which some techies consider severe, but ordinary users are perfectly happy with Apple's walled garden. This approach of Apple for security seems to work better than all A/V software combined. There have been no viruses or Trojans for iDevices.
Re:Whitelist is old news (Score:4, Informative)
Bzzt, wrong. MP3s have been the vectors for exploits too.
>Your MP3s are safe from viruses
http://www.exploit-db.com/exploits/14309/ [exploit-db.com]
http://www.gnucitizen.org/blog/backdooring-mp3-files/ [gnucitizen.org]
http://www.theregister.co.uk/2002/04/29/winamps_malicious_mp3_vuln/ [theregister.co.uk]
Any interpreter can be used to run an exploit if the interpreter has a flaw. The seemingly huge number of flaws in interpreters shows that it is either hard or people that write software make a lot of mistakes.