It ain't that folks don't know, it's that folks know so much that just ain't so
Richard Thomas: By "standard" you're probably referring to the WildList set of samples? I see that some anonymous poster has mentioned it too. Well, folks, the WildList is CRAP. It's an arbitrary set of viruses that bears no similarity with what is actually in-the-wild (ITW). Things that are ITW are not on it. Things that are on it are not ITW. It's crap - mostly because of the utter incompetence of its maintainers. I have an article on this subject, google for it. The only thing such a "standard" provides is reproducibility of the tests. However, the tests based on it are absolutely no measure of how well AV products fare against what is actually out there, infecting people's machines.
Anonymous: Who the heck is Thwarte? Do you mean Thawte - the PKI guys? Anyway, NOBODY outside the AV industry has sufficient expertise to maintain a well-organized set of virus samples. NOBODY. Not Thawte, not anybody. How do you think this is done? By running a bunch of scanners on the samples and seeing what they repport? The proper way to do it is by analyzing every single sample - which means that you must know a lot about viruses, reverse-engineering, file formats and a whole bunch of other things. And if you already know that, you work in the AV industry, guaranteed. Which means that you're too busy developing your product and don't have time to organize somebody else's test set. And how would Thawte, who have ZERO virus expertise, decide exactly which viruses are ITW?! Ho-ho-ho.
Pascal Monett: You're falling into the pit of "whitelisting" - and I've debunked this myth here before (see also my paper in the August issue of Virus Bulletin). Who exactly will decide which processes are "known" and "should be allowed to run"?!
Mike P: Sites like VirusTotal and Jotti cause more harm than good. I'm writing an article for Virus Bulletin on this subject right now. The people running them have absolutely no clue. The scanners they use are often different from what is sold to the customer. If a couple of scanners have a false positive, the whole AV industry is forced to deal with the "but why don't you detect this" syndrome. The samples that the sites provide to the AV people are 99.99% crap and unnecessarily tie their resources to sift through it for the occasional gem (i.e., a genuine, working, new virus). "If you understand computer a bit, you don't need AV !" - very true. Sadly, the remaining 97.24% of the computer users still need one.
Anonymous: "get a nice fresh PC then dump as much Malware on in it as you can without killing it then run your AV products ans see who finds, removes or misses the most" - problem is, there are half a million known malware programs to choose from. If you're going to use only a subset - how do you decide which ones to choose? If you're going to use every one of them - where would you find the time and other resources to do so? But, yeah, that's, theoretically, the proper way to test AV products - install the full product (not just the scanner!) and keep throwing live malware at it (instead of just scanning static samples safely tucked in a directory and never executed). Fully restore the PC between every two attempts. But it's way too difficult and time-consumming to do it properly.
Morely Dotes: As I said, Virus Bulletin tests (VB100) are "not bad". Which doesn't mean that they are very good. They still use mainly the WildList test set (thank goodness, not exclusively) and still test only scanners (thank goodness, the on-access scanner too - not just the on-demand one).
Rob Crawford: You're behind the times. In the early 90s (when Thunderbyte still existed), McAfee's product was indeed total crap. But they later bought S&S International (Dr. Solomon's Anti-Virus ToolKit) and incorporated Alan's excellent scanner in their product. Aquired several of Dr. Alan Solomon's world-class AV researchers, too. That's why McAfee's scanner is nowadays one of the best, as far as virus detection goes.
James: You aren't paying attention. I said "if Linux becomes as widespread and easy-to-use as Windows (*both* factors are essential)". I cannot "try it on a Linux system" now, because Linux is currently not as easy-to-use as Windows. No easily clickable executable attachments in e-mail. No ActiveX. No Browser Helper Objects. None of the remaining crap that gets so heavily exploited in Windows. Yes, it's because of that crap that Windows is so insecure. But it's because of that crap that it's so easy-to-use and popular, too. Linux won't get as popular as Windows, unless it aquires this stuff too - which means without becoming just as easy to abuse.
I know perfectly well that Linux is used for Web/ftp/news/email servers a lot. But there it is managed by supposedly competent administrators. Give it in the hands of the average lusers and it will be exploited just as much as Windows.
"Run As" is *exactly* as su. Your WordPerfect example is irrelevant - it's just a crappy application that does what it shouldn't. There are plenty of those in the *nix world too - applications that need to have the SUID bit set. (Would have been nice to have the equivalent of chroot in Windows - but you can emulate even that with sandboixes and virtual machines.) "Run As" can be used to run as any other user too - not just as Administrator. You can even "Run As" a DOS command prompt or Explorer, in which case anything you launch from there will run as admin too - the equivalent of opening a root shell window.
Everybody: Face it, folks, it's a free market. If it were possible to make an AV program that would stop all malware - somebody would have made it and we all would be using it by now. If it were possible to produce good AV tests - somebody would have started doing so by now.