Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 10, 2016, 08:41:56 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Why the popular antivirus products simply dont work  (Read 4465 times)

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: -5
  • Posts: 3,397
    • View Profile
    • Donate to Member
Why the popular antivirus products simply dont work
« on: July 21, 2006, 11:30:04 AM »
http://www.zdnet.com.au/blogs/securifythis/soa/Why_popular_antivirus_apps_do_not_work_/0,39033341,39264249,00.htm

Quote
Antivirus applications from Symantec, McAfee or Trend Micro -- the three leading AV vendors in 2005 -- are far less likely to detect new viruses and Trojans than the least popular brands.

This has nothing to do with the quality of the software or how long it takes the respective firms to update their clients with signatures and other malware countermeasures.

AV companies continue to refine their products and most will tell you they stopped relying on purely signature-based systems many years ago. These days they use all sorts of clever methods to try and detect suspicious behaviour but the problem is that malware authors are also very clever. Very, very clever.

More at source

JavaJones

  • Review 2.0 Designer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,717
    • View Profile
    • Donate to Member
Re: Why the popular antivirus products simply dont work
« Reply #1 on: July 21, 2006, 01:52:51 PM »
I'm not sure how accurate this is in terms of statistics (8 out of 10, etc.), but it makes logical sense. It's easy to get pirated versions of most A/V apps so it's hard to imagine a malware author *wouldn't* pre-test their creations with at least one of the most popular ones. It's surprising that Norton still has 50+% market share, all the more reason to avoid them as an end user given the info in this story.

Anyone see any reason to dispute this? As I said it just seems logical to me. Of course it's only really important for "0-day" vulnerabilities - getting hit with something that hasn't been seen before. It's not too long before a new signature database is put out that fixes the problem and the likelihood of getting a 0-day attack is pretty low. Still, an interesting thing to consider.

- Oshyan

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: -5
  • Posts: 3,397
    • View Profile
    • Donate to Member
Re: Why the popular antivirus products simply dont work
« Reply #2 on: July 21, 2006, 02:44:25 PM »
I dont think this applies to just anti-virus products. It applies to any software. I mean, Windows has so many holes found because it is the most used OS. I guarantee, if macosx were the most used, it would have just as bad a name as windows does now. Dont get me wrong, the engines for these a/v's are good, they are just bypassed because its the majority marketshare holder.

JavaJones

  • Review 2.0 Designer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,717
    • View Profile
    • Donate to Member
Re: Why the popular antivirus products simply dont work
« Reply #3 on: July 23, 2006, 02:20:01 AM »
Yep, I tend to agree. In fact it'd be interesting to look at the statistics on exploited vulnerabilities - see if the ~5% market share of OS X corresponds to a similar exploit rate. :D

- Oshyan

Wordzilla

  • Forum Search Daemon
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 470
  • Two there should be; no more, no less.
    • View Profile
    • FreeThesaurus.net - The Free Online Synonym Finder
    • Read more about this member.
    • Donate to Member
Re: Why the popular antivirus products simply dont work
« Reply #4 on: July 23, 2006, 07:00:21 AM »
Viruses are well tested before their release - all the time! Do we see viruses crippled due to internal bugs?

IMO, 'heuristic detection' shall always remain a joke if virus makers test their work against a/v products, and of course they do - you don't often see your a/v product pops up a message box that says "unknown virus/malware - cleaned", do you?  ;D

Well, I don't think those popular a/v products sometimes suck simply because they're market leaders; new viruses emerge and go wild undetected everyday because they are new and unknown.

Large anti-virus companies generally are more willing and able to put more resources into hunting new viruses and update their products, and of course, to fund the R&D of more advanced engines. This gives them a better edge against the less popular vendors. For many of those small vendors, they might not even get aware of new malware until popular vendors update their virus encyclopedias. The more vigilant and responsive your a/v product vendor is, the less vulnerable your system is.

Quote
80 percent miss rate

actually it talks about 80 percent of new malware, which might be a gross underestimation, if you define 'new' as 'within a week of first discovery/detection by someone'. AFAIK, none of those mentioned popular a/v products are good at detecting/eliminating new malware (actually they are most often blind and deaf even with up-to-the-hour patches.)

My suggestion is to install one or more anti-spyware products (best with real-time detection) in couple with your existing anti-virus program.

Nothing kills new malware - if they are new enough.  ;)

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,666
    • View Profile
    • App's Apps
    • Read more about this member.
    • Donate to Member
Re: Why the popular antivirus products simply dont work
« Reply #5 on: July 23, 2006, 08:01:08 AM »
IMO, 'heuristic detection' shall always remain a joke if virus makers test their work against a/v products, and of course they do - you don't often see your a/v product pops up a message box that says "unknown virus/malware - cleaned", do you?  ;D

It is a joke when the only malware found on my pc while scanning with A/V or anti-spyware, is the Delphi source code to projects I wrote myself. (there might be some crappy coding in them but they aren't malware...lol)

I have also seen way too many false positives that can threaten the reputation of honest up & coming programmers. It is getting to the point where you need to have a copy of about every anti-virus available to test on your own programs before releasing them. Otherwise you could become a victim of a reputation destroying false positive.

And antivirus vendors don't really do anything about it when this happens. I have submitted many files to McAfee and Symantec, along with the source code of those files, on behalf of people from my programming group. I have only once received a reply back, and none have done anything to correct the problems....not even an 'oops...sorry about that' apology.

I have had to pull about 8-10 files off my group's site within the last year because of this...one of them being something of my own. 3 of them were javascript games packed with 'HTML2exe Baler' (please read user reviews if you don't believe me).

Most of these false positives seem to occur with plugins made for other applications. They are misidentified as various keyloggers or unknown virus/trojan.

My tip for programmers that make plugins: Be very careful what methods you use to grab window handles or detect & hook into the applications you make plugins for. Something as innocent as a message box and grabbing mouse position when the user places it over the application and clicks the OK button, can trigger a false positive as a keylogger, depending on how you code it.

So much for 'heuristic detection'.  :-[


f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Why the popular antivirus products simply dont work
« Reply #6 on: July 23, 2006, 09:03:58 AM »
Quote
Viruses are well tested before their release - all the time! Do we see viruses crippled due to internal bugs?
It's happened more than once. The old DOS virus "whale" was pretty bugged (because it was complex), and it's not the only one. Some worms have been much less effective than they could be, because of coding bugs.

Quote
IMO, 'heuristic detection' shall always remain a joke if virus makers test their work against a/v products, and of course they do - you don't often see your a/v product pops up a message box that says "unknown virus/malware - cleaned", do you?
No, but I've 'often' seen a popup saying "this file is suspicious, access blocked". And good old TBAV for DOS was sometimes able to disinfect unknown viruses.
- carpe noctem