Antivirus Software Performs Poorly Against New Threats 183
Hugh Pickens writes "Nicole Perlroth reports in the NY Times that the antivirus industry has a dirty little secret: antivirus products are not very good at stopping new viruses. Researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab and found that the initial detection rate was less than 5 percent (PDF). 'The bad guys are always trying to be a step ahead,' says Matthew D. Howard, who previously set up the security strategy at Cisco Systems. 'And it doesn't take a lot to be a step ahead.' Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its 'signature' — unique signs in its code — before they can write a program that removes it. That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years. 'The traditional signature-based method of detecting malware is not keeping up,' says Phil Hochmuth. Now the thinking goes that if it is no longer possible to block everything that is bad, then the security companies of the future will be the ones whose software can spot unusual behavior and clean up systems once they have been breached. 'The bad guys are getting worse,' says Howard. 'Antivirus helps filter down the problem, but the next big security company will be the one that offers a comprehensive solution.'"
It's a matter of time, stupid! (Score:4, Insightful)
The antivirus company can only react to new virus technologies. So the time to reaction is the actual measurement we need first. Only later we need the accuracy.
Re:What's the impact of those new viruses? (Score:5, Insightful)
The "best" malware are the ones designed to be undetectable for years. Some even go so far as to play the role of an anti-virus to keep other infections out of its host. Given that most users don't bother to make sure their AV product is up to date (if working at all), it's no surprise these infections are never detected because they're actually making the computer run better (from the user's perspective) just so they can continue their own agenda undisturbed. The most advanced malware is more akin to a semi-benign parasite than a biological virus or bacteria.
Re:What's the impact of those new viruses? (Score:4, Insightful)
I'm still finding systems with infected MBRs and hidden partitions loaded with TDSS.tdl4. How old is this rootkit now?
I think these AV companies need to figure out how to properly clean/repair a system that has already been compromised before trying to play the cat and mouse game with the malware developers. I find AV software far more useful if a late detection can be removed/repaired rather than have it sit on my system for years undetected.
This is asking the wrong questions (Score:4, Insightful)
The question is, how well do these products protect their users? This study doesn't really help in that regard. Sure, we can dig up samples that the product doesn't detect. This is inevitable as pretty much everyone acknowledges.
A couple thoughts though. Looking at the PDF, they are deliberately going after obscure and experimental samples of malware. Fair enough, this was the purpose of the study. If they wanted to establish that AV products won't detect obscure and experimental malware samples, so far so good. But how likely is it that any normal user is going to encounter one of these? Probably very unlikely.
The AV vendors have to prioritize their time, so they will focus more on malware that a user is likely to encounter, so as to provide better protection.
Yes, the underlying point is still valid. Any automated detection technology is going to lag behind, that's a problem we will have to live with. Even products from Imperva will suffer from this, malware authors will simply run their samples through VirusTotal and all the other tools and keep tweaking until they have an approach that evades the detection.
No shit (Score:4, Insightful)
Back in 1997 I wrote a resident com/exe DOS infector, which couldn't be detected by F-Prot nor TBAV (remember those?), despite the infector not being encrypted, much less polymorphic.
I learned two valuable lessons back then:
1) If you're going to write an infector, make sure you write the cleaner first.
2) You are your own best AV on the PC. If you know what you're doing, the AV does nothing helpful, and if you get infected, it'll be by something that AV cannot detect.
Bigger problem than imagined. (Score:4, Insightful)
I run a local computer repair shop, and I can corroborate this story- modern AV does jack.
I haven't seen any really malicious malware in a while, but I see ransomware and scareware ones quite often, and every time the computer has up to date AV on it.
What's more, a lot of the time I've seen the virus in question several times, meaning it's been around for at least a fortnight, and still the AV guys haven't picked up on it.
I can appreciate that a social engineered drive-by exploit attack is difficult to defend from, when the customer asks me how to stop it happening again, it's a tough question to answer- but this doesn't change the fact that IMHO, all anti-virus is a waste of time and money at the moment.
I install MSE on customer laptops because I have to put SOMETHING there, but I have little faith that it will protect them.
Now I'm not fear-mongering here, I'm just being matter-of-fact. Three years ago when I stopped re-selling AVG, my account manager said 'Oh sorry to hear that, can I ask why?'
I said; 'Because it doesn't work. I am removing trojans and rootkits from computers every day, and many of them are running AVG, which has completely failed to save them.'
Make your anti-virus software work, and make it protect users from drive-by attacks on bad facebook links (without intrusive toolbars and link checkers please), and I will sell you hundreds of copies in my little shop alone.
Re:Bigger problem than imagined. (Score:4, Insightful)
Um, the viruses you see infecting systems will, pretty much by definition, be the ones that get past the AV software. You won't be asked to remove a virus that the AV software on the machine will catch, because the AV software will catch it.
Re:It's a matter of time, stupid! (Score:5, Insightful)
In many cases if you do things right (esp on servers), AV software is more likely to cause problems than viruses. Every now and then you hear of an AV software with a system crippling false positive or other big problem. So if you are sandboxing stuff, and not regularly adding 3rd party software to a server or browsing with it, installing AV software on servers is more likely to cause problems than it'll ever solve.