Microsoft Security Essentials Misses 39% of Malware

Barence writes "The latest tests from Dennis Publishing's security labs saw Microsoft Security Essentials fail to detect 39% of the real-world malware thrown at it. Dennis Technology Labs (DTL) tested nine home security products on a Windows 7 PC, including Security Essentials, which is distributed free to Windows users and built into Windows 8 in the form of Windows Defender. While the other eight packages all achieved protection scores of 87% or higher — with five scoring 98% or 99% — Microsoft's free antivirus software protected against only 61% of the malware samples used in the test. Microsoft conceded last year that its security software was intended to offer only "baseline" performance"."

MSSE vs Norton

[Mr Foobar]

So, either MSSE misses over a third of malware, or use Norton and your computer turns into a zombie with the performance of a 486 running WfWG...

Hmm, tough choice there.

Re:Actual Reports

[mythosaz]

7.2 Threat selection
The malicious web links (URLs) used in the tests
were not provided by any anti-malware vendor.
They were picked from lists generated by Dennis
Technology Labs’ own malicious site detection
system, which uses popular search engine
keywords submitted to Google. It analyses sites
that are returned in the search results from a
number of search engines and adds them to a
database of malicious websites.
In all cases, a control system (Verification Target
System - VTS) was used to confirm that the URLs
linked to actively malicious sites.
Malicious URLs and files are not shared with any
vendors during the testing process.

In other words, you get to take his word for it, and we don't know what failed or why.

Sounds about right

[Sycraft-fu]

If you look at AV Comparitives, who seem to do pretty good testing, MSE is about 90%. That's quite low (though there are commercial apps that are worse) but the tradeoff is zero false positives on essentially every test.

It's certainly not what you get if you want highest security, but it does a reasonably good job, and doesn't generate false positives, which can piss off newbie users and make them want the AV scanner off. It also updates definitions via Windows Update, if its internal updater has an issue, which is nice for people who won't mind after their AV software.

It's not what I use, but it isn't a bad baseline. I'd sure as hell use it rather than Norton :P.

Re:In other news

[AlphaWolf_HK]

The really good (as in clever) malware don't do any of those things. It's best not to in order to avoid unwanted attention so that your ultimate goal (whatever it be) can be achieved.

Re:Actual Reports

[TapeCutter]

Yes, vendor A says vendor B's free product sucks. I put MES on my win7 boxes after the free AGV let something thru earlier this year. The virus tricked win7 into thinking an infected system file was a good thing.Interestingly MSE was the only one of three free virus scanners I tried that picked up the infection.

However there was catch22 since MSE stubbornly refused to install itself until the infected file was gone and win7 kept restoring the infected file at boot up. The pragmatic developer in me gave up digging further down that particular rabbit hole. I realise I was now also fighting a win7 immune system that the virus had usurped, but I knew how it got in and that was enough to convince me to change the scanner I'd been using since the late 90's. First time in at least 10yrs I've had to wipe my own windows system disk because of an infection.

Why yes, IAACS, but the above is experience with MSE is a personal anecdote, not a professional opinion.

Re:In other news

[Anonymous Coward]

Malware is probably the most precisely written, bug-free software on the planet, bar nothing else. It takes up little memory, runs without being noticed, can run on an extremely large amount of hardware/software combinations and run well.

So, calling Windows malware is really a misnomer. Malware is written to some damn exacting quality standards, and its support (such as the people behind CryptoLocker) is usually better than 99% of the tech support departments in any legit company.

Sponsored?

[dcooper_db9]

From page 19 of the report:

What is the difference between a vendor and a partner vendor?

Partner vendors contribute financially to the test in return for a preview of the results, an opportunity to challenge results before publication and the right to use award logos in marketing material. Other participants first see the results on the day of publication and may not use award logos for any purpose.

Do you share samples with the vendors?

Partner vendors are able to download all samples from us after the test is complete. Other vendors may request a subset of the threats that compromised their products in order for them to verify our results. The same applies to client-side logs, including the network capture files. There is a small administration fee for the provision of this service.

Re:In other news

[bloodhawk]

You honestly have not dealt with much malware. Most of it is atrociously written and more often then not only detected because it chews up system resources or causes crashes. only a tiny percentage of malware is written well.

Have you ever used it? MSE is great.

[Slagothor]

I care about the security of MSE a great deal. MSE does what Av should do. It also does it in the background like it should and out of the way. MSE is a program/tool that is outstanding. Surprised to see it come out of Microsoft. If a paid version were needed/required, I'd pay, and I don't pay for Av protection.

Re:Actual Reports

[LordLimecat]

CryptoLocker has showed that to be the case.

Having been on a team that dealt with cryptolocker, I can say that you are not correct.

Cryptolocker often is sent as malicious executables contained in zip file email attachments, which could target Linux or OSX or AIX just as easily.

you tend to be screwed no matter how good the AV program is,

If the virus is in usermode, the AV can easily remove it no matter what measures it takes, since the AV runs with root privileges. If the virus has root, it depends on what virus and what AV and how recent each is.

The whole premise of "Windows gets viruses because its insecure" is such an absurd myth thats been disproved so many times that its astonishing that people still make such a stupid claim. Go look up Pwn2Own, and see how vulnerable your *nix systems can be when theres a sufficient incentive to break in. Go look up the cross-platform PDF Proof of concept. Check the stats on what type of exploits are used for the majority of malware (OS / third party /browser plugin); I think you'll find that OS-level exploits are quite uncommon these days compared with the others.

...[2]....

Viruses dont do that because there is no financial gain whatsoever to killing a Bitlocker volume.

Re:Sounds about right

[gman003]

More to the point:

Defense, of any sort, requires layers. And with enough layers, each individual layer can have quite a significant failure without compromising the integrity of the whole defense. My browsing habits, AdBlock, browser-based malware blocking, antivirus, and OS-level permission limits - all of those protect me. Each one probably only has a 90% success rate, but that combines to 99.999% effectiveness (assuming each layer is fully independent - in reality, stuff that can break one layer is likely able to break some of the others, so it may only be 99.9% effective, which is still pretty damn good).

I use MSE not because it's the best, but because it's the least intrusive. It nags me to run a scan about once a month, and I think only once has it flagged any malware (false positive - I do scans with MalwareBytes every few months, which is much better at detection and removal but does nothing for real-time protection, and it did not find anything). Other than that, it doesn't put any noticeable load on my system or bother me with meaningless alerts - unlike even "good" AV like AVG.