back to article Today's antivirus apps ARE 'worse at slaying hidden threats'

The effectiveness of antivirus products has declined, according to tests by German testing outfit AV-Test.org. AV-Test put 25 antivirus products for home users and eight corporate endpoint protection software applications through their paces in November and December 2012. Only an average of 92 per cent of the zero-day attacks …

COMMENTS

This topic is closed for new posts.
  1. Lee Dowling Silver badge

    AV is ineffective. It does some things but not nearly enough to justify its cost, performance hit, and other problems. You only need to work in IT for a while, especially with the front-end of business and networks, to see this. We deploy it because even some things like PCI certification require "up-to-date anti-virus".

    In all the years I've been deploying AV, I've seen it stop only a bare handful of the most benign infections. Most of the real ones, that start popping up pornography on student's PCs, or trying to delete entire drives, or even things like "encrypting" every single file on every shared network drive that it has write access to and deleting the original, have gone undetected no matter what the manufacturer, or how often you apply updates.

    AV is a bouncer's list of who not to let in, and about as accurate. Sure, it stops some known troublemakers but 90% of the people who start a fight inside the club aren't being dealt with for years after their release (my bursar just got an AV update that marked an email that was FIVE YEARS OLD in his archive as a virus - it was a true detection, but it took that long for the signatures to appear that it could recognise it). You wouldn't let your bouncer JUST stop the people on his list and ignore the fights breaking out behind him (which is the bit that SHOULD be dealt with by "heuristics" but they are even more performance-killing and ineffective), so why do we tolerate AV?

    Basically AV is a miner's canary. When it falls over, because a virus has disabled it usually, that's tells you something is wrong. That's not the ONLY indication you are given, and sometimes it doesn't give an indication at all. But it's the only useful purpose of AV (and I've seen more AV drop off the network because a virus turned it off, even without admin access!, than I have successful network detection of viruses).

    We use it because some stupid people think it's necessary. What the actual fix is is less-powerful users, easier-to-control permissions, and easier-to-roll-back-from-anything systems (I should not have to put entire machines back to a known-good state just because one program as a limited user ran riot and infected their own files). Until then, AV companies will still reel in the money detecting next-to-nothing and ghosts in the machine rather than actually STOPPING programs being able to delete or write to arbitrary files without permission.

    1. Fuzz

      Problem is people don't like not having access to files

      I have friends who are pretty IT literate and they refuse to accept that it's not stupid when windows denies you write access to program files. They can't grasp that their should be no reason to write to program files as a normal user and if they have a program that requires that then the either the program needs rewriting or the program should set the correct permissions when it installs.

      1. Piro Silver badge

        Re: Problem is people don't like not having access to files

        They're not THAT literate, really.

        Also, these results make me happy, as the job I'm in currently, I saw a roll out of F-Secure, and it's right up there. I also use it on my home machine..

      2. Lee Dowling Silver badge
        Devil

        Re: Problem is people don't like not having access to files

        I don't understand why every Windows program isn't "bottled" into its own private area. Let it write to the Program Files folder. Just not the "real" one, and let the admin determine which overrides what (so you can have the "real" Program Files folder always take precedence over anything installed by a particular app).

        When you uninstall, you delete the bottle. Thus, you don't cripple Windows by removing vital files that it overwrote. You don't leave traces of the program everywhere. You don't end up with a million old copies of msvcrt.dll because everything bundled one and left it around "in case it broke something". You can rollback to previous versions of a bottle without worrying about X needing DLL Y and vice versa. Do the same for registries (because that's just another abstraction over a file access).

        If a program wants to work on a user document, a copy is created inside its bottle (so it only sees the files that the user actually gives it - hell, it can list all its wants of what the user lets it see, but actually opening a particular user file requires permission SOMEWHERE) and, if the user wants, the changed file is propagated back into the users documents when its closed (again, with suitable rollback - we have Shadow Copies - USE IT!).

        Do the same for ANY startup list or service (and having several of these lists is RIDICULOUS) - let the program do what it thinks it's doing, then ignore it, then have the user decide (by domain policy, or user restrictions, or popup, or whatever combination is appropriate) whether it ACTUALLY gets to do that for real, and with rollback. Then it doesn't matter that program X comes bundled with toolbar Y that always tries to install - it thinks it's installed successfully, even when run as admin, can't tell that it hasn't, and the user isn't affected (and network admins can just have all these options turned off so programs think they are trashing C:\ or installed in the root, or in the startup entries, or have installed their pseudo-printer or whatever, when in reality nothing has changed for any user, even the admin).

        Programs can do anything stupid at any time. Let them. Then ignore that stupid action. That's how it works, without having to stop things running (and cause uproar from users and application producers alike), without seven million permissions dialogs, and without breaking backward compatibility. Don't just allow virtualisation of the OS, let every program be "virtualised" and think it's writing to C:\ when in fact it's writing only to its own private bottle. MS even understands how to do this - some registry compatibility layers for old Windows do exactly this kind of thing!

        A program demands admin rights for some archaic / stupid reason? Give it to them - as a user that is limited but can "fake" any access it likes. Hell, let it be "admin10437" inside a chroot-like jail that only admin10347 writes to or reads from, which it is unable to escape because it is IMPOSSIBLE to tell that it's in a bottle (i.e. it writes to C:\ as far as it's concerned, it just doesn't happen for real) and which is contained inside a subfolder of the real OS that is able to ignore any and all registry, file or other things inside that bottle at will.

        There's no excuse for sloppy task management, not even "compatibility", or confusing administrators. It can all be done TODAY. And then when a virus comes along, it ends up in a bottle, on its own unable to see anything or do anything interesting, and - if detected - can be rolled back safely in a second including any and all hooks it TRIED to put into the OS (and, obviously, would have failed at doing on any non-trivial permission setup).

        Fact is, as the most limited of users, you can still wreak havoc on a typical Windows PC even if that's just making it so busy that you can't log it off, or deleting all that users documents. That SHOULDN'T happen, ever. We have the technology, it's there. Just make every execution run inside a bottle rather than have access to the system itself.

        A program may REQUEST that I put it into startup lists, but it cannot MAKE me, or do it for me unless I want it to. It shouldn't even be able to detect whether I have allowed that or not. Windows still hasn't sorted silly little things like this (hell, startup lists - some of them, not all - have been hidden away inside msconfig for years and aren't user-friendly at all).

        Solve this sort of thing, and you don't need to break ANYTHING, and the rest solves itself.

        1. Anonymous Coward
          Anonymous Coward

          Re: Problem is people don't like not having access to files

          Sounds like M$ needs to buy invent Sandboxie.

        2. Davidoff
          Mushroom

          This is already done...

          ...since Vista when MS introduced virtualized system folders. And MS has published style guides which describe how programs should be designed and where which files should go to keep everything clean and tidy.

          Unfortunately MS still underestimated how crap the majority of software developers are, which happily ignore any platform style guide and work around operating system protection mechnisms, breaking the system for anything else that is installed, too.

          And this crapness includes large software houses as well. Yes Google, I look at you! Whoever decided that Chrome should install in the user data directory should be shot!

        3. Anonymous Coward
          Anonymous Coward

          Re: Problem is people don't like not having access to files

          Lee, I felt obliged to downvote your previous post and upvote this one.

          In our organisation we are finding the AV to be effective at nabbing viruses before they do any damage. However I think this is not necessarily traditional signature based AV, but smarter stuff like sandboxing as you have described it in the second post.

          The iOS-like application sandboxing by default would make a big difference.

        4. Silviu C.

          Re: Problem is people don't like not having access to files

          @Lee

          Actually, there is a piece of software out there that does, in some parts what you suggest. Wine. On any platform it supports it can create any number of bottles (prefixes they call them) that store a fake Windows-like filesystem structure. Two other pieces of software that use it make bottling up applications even easier: PlayOnLinux/Mac and Crossover for Linux and Mac. The catch? While it can run a whole lot more software that it could before it still requires in some cases that native, redistributable bundles of various Windows libs be installed (DirectX redist, .NET framework redists etc.). So this does not prevent duplication of libs, yet. I can control what applications in each of those bottles are able to access by mapping various directories as drives. All the program sees are drives C, D etc. I can easily archive the bottles and restore them in minutes if ever something goes wrong.

          So while it still not better than Windows at running windows programs, Wine is still a better Windows than Windows.

        5. Anonymous Coward
          Alert

          Re: Problem is people don't like not having access to files

          1980's Amiga then' but as always, it needs the software producers to play ball; if M$ refused to let badly written software install there would be blood on the streets of Redmond.

    2. Anonymous Coward
      Anonymous Coward

      Eeeks!

      "Most of the real ones, that start popping up pornography on student's PCs, or trying to delete entire drives, or even things like "encrypting" every single file on every shared network drive that it has write access to and deleting the original, have gone undetected no matter what the manufacturer, or how often you apply updates."

      I think we got that one this week. I'm not back in the office until much later, but any advice? I've considered sitting very quiet and letting the IT staff fix it!

  2. Joeykins

    A sentry outside the front door while the back window is wide open

    AV is a throwback to an era when virus transmission was done by infected files on removable media or attached to emails. It's very good at intercepting those, but the real problems in the world where malware is designed by organised crime gangs is that the target is remote code execution vulnerabilities in the near-ubiquitous applications and plugins (IE to a lesser extent now, but Flash and Java). Too many people have computers filled with unpatched versions of these apps because there isn't a central updater for them that enforces the update. I've had people bring in home computers running Vista RTM because they've continually dismissed the messages about the service pack installation, and that's from Windows Update which is a better example of updates being delivered well.

    MS need to put out a utility similar to the Secunia PSI which puts the latest versions of the vulnerable plugins on people's machines and enables future automatic updates from the publishers that is opted in by default.

    As an aside, I've been getting all of my less tech savvy friends, family and co-workers to put the Secunia PSI on their home computers and there has been a significant decrease in the number of infections I've been asked to look at.

  3. koolholio
    Go

    Pro-active Prevention and Planning is key!

    As simple as the title reads... the 3 P's

    Filters are useful, better than just a heuristics engine with signatures!

  4. jason 7
    Facepalm

    A big rush for everyone to discredit everyone.......

    ...since MS bundled the rebabdged MSE in Windows 8.

    Now the gentleman's agreement is over its gloves off and a right slanging match has ensued.

    The fact that the worst virus stuff is written and released on a daily schedule, it's a no win situation.

    I always say getting a virus is like a broken windscreen. You can go years without one and then get two in as many weeks.

    1. This post has been deleted by its author

  5. banjomike
    Stop

    Microsoft Security Essentials isn't SUPPOSED to be wonderful...

    ...it is only for people who can't be bothered to find and use any of the better free products (ie. Avast) and wouldn't even DREAM of spending cash on software to protect their computers.

  6. TRT Silver badge

    Bitdefender...

    Looked like it fared well in that test, but then I checked the system requirements. Looks OK in terms of OS, CPU, Free space, but then...

    Software requirements:

    Internet Explorer 7 and higher

    .Net framework 3.5 (automatically installed by Bitdefender if necessary)

    Supports/Integrates with:

    Web Browsers:

    Firefox 3.6 and higher

    Thunderbird 3.0.4

    Outlook 2007, 2010

    Email Clients:

    Outlook Express and Windows Mail on x86

    .Net framework 3.0

    So, it doesn't integrate with IE7+ which it requires, and it only protects the HTML rendering part of Thunderbird and Outlook? Hmm... Or did they simply make a mistake creating the web page?

  7. Robert Helpmann??
    Childcatcher

    However, bottom line first...

    My brain shut down when I read that. I did a bit of digging around Impervia's web site and dug up this gem: ...most Web attacks can circumvent network security products like IPS and next generation firewalls; these products are not designed to patch application vulnerabilities or detect evasion techniques. Shulman and company certainly have rhetorical flare.

    My perception at this point is that Impervia's products are being sold to the boss rather than the technical staff. Anybody who buys into their arguments are likely to get what they deserve, if not what they thought they were paying for.

This topic is closed for new posts.

Other stories you might like