Why the popular antivirus products simply dont work

[Josh]

http://www.zdnet.com.au/blogs/securifythis/soa/Why_popular_antivirus_apps_do_not_work_/0,39033341,39264249,00.htm

Antivirus applications from Symantec, McAfee or Trend Micro -- the three leading AV vendors in 2005 -- are far less likely to detect new viruses and Trojans than the least popular brands.

This has nothing to do with the quality of the software or how long it takes the respective firms to update their clients with signatures and other malware countermeasures.

AV companies continue to refine their products and most will tell you they stopped relying on purely signature-based systems many years ago. These days they use all sorts of clever methods to try and detect suspicious behaviour but the problem is that malware authors are also very clever. Very, very clever.

More at source

[JavaJones]

I'm not sure how accurate this is in terms of statistics (8 out of 10, etc.), but it makes logical sense. It's easy to get pirated versions of most A/V apps so it's hard to imagine a malware author *wouldn't* pre-test their creations with at least one of the most popular ones. It's surprising that Norton still has 50+% market share, all the more reason to avoid them as an end user given the info in this story.

Anyone see any reason to dispute this? As I said it just seems logical to me. Of course it's only really important for "0-day" vulnerabilities - getting hit with something that hasn't been seen before. It's not too long before a new signature database is put out that fixes the problem and the likelihood of getting a 0-day attack is pretty low. Still, an interesting thing to consider.

- Oshyan

[Josh]

I dont think this applies to just anti-virus products. It applies to any software. I mean, Windows has so many holes found because it is the most used OS. I guarantee, if macosx were the most used, it would have just as bad a name as windows does now. Dont get me wrong, the engines for these a/v's are good, they are just bypassed because its the majority marketshare holder.

[JavaJones]

Yep, I tend to agree. In fact it'd be interesting to look at the statistics on exploited vulnerabilities - see if the ~5% market share of OS X corresponds to a similar exploit rate.

- Oshyan

[Wordzilla]

Viruses are well tested before their release - all the time! Do we see viruses crippled due to internal bugs?

IMO, 'heuristic detection' shall always remain a joke if virus makers test their work against a/v products, and of course they do - you don't often see your a/v product pops up a message box that says "unknown virus/malware - cleaned", do you? 

Well, I don't think those popular a/v products sometimes suck simply because they're market leaders; new viruses emerge and go wild undetected everyday because they are new and unknown.

Large anti-virus companies generally are more willing and able to put more resources into hunting new viruses and update their products, and of course, to fund the R&D of more advanced engines. This gives them a better edge against the less popular vendors. For many of those small vendors, they might not even get aware of new malware until popular vendors update their virus encyclopedias. The more vigilant and responsive your a/v product vendor is, the less vulnerable your system is.

80 percent miss rate

actually it talks about 80 percent of new malware, which might be a gross underestimation, if you define 'new' as 'within a week of first discovery/detection by someone'. AFAIK, none of those mentioned popular a/v products are good at detecting/eliminating new malware (actually they are most often blind and deaf even with up-to-the-hour patches.)

My suggestion is to install one or more anti-spyware products (best with real-time detection) in couple with your existing anti-virus program.

Nothing kills new malware - if they are new enough. 

[app103]

IMO, 'heuristic detection' shall always remain a joke if virus makers test their work against a/v products, and of course they do - you don't often see your a/v product pops up a message box that says "unknown virus/malware - cleaned", do you? 

-Mobysaurus (July 23, 2006, 07:00 AM)

It is a joke when the only malware found on my pc while scanning with A/V or anti-spyware, is the Delphi source code to projects I wrote myself. (there might be some crappy coding in them but they aren't malware...lol)

I have also seen way too many false positives that can threaten the reputation of honest up & coming programmers. It is getting to the point where you need to have a copy of about every anti-virus available to test on your own programs before releasing them. Otherwise you could become a victim of a reputation destroying false positive.

And antivirus vendors don't really do anything about it when this happens. I have submitted many files to McAfee and Symantec, along with the source code of those files, on behalf of people from my programming group. I have only once received a reply back, and none have done anything to correct the problems....not even an 'oops...sorry about that' apology.

I have had to pull about 8-10 files off my group's site within the last year because of this...one of them being something of my own. 3 of them were javascript games packed with 'HTML2exe Baler' (please read user reviews if you don't believe me).

Most of these false positives seem to occur with plugins made for other applications. They are misidentified as various keyloggers or unknown virus/trojan.

My tip for programmers that make plugins: Be very careful what methods you use to grab window handles or detect & hook into the applications you make plugins for. Something as innocent as a message box and grabbing mouse position when the user places it over the application and clicks the OK button, can trigger a false positive as a keylogger, depending on how you code it.

So much for 'heuristic detection'. 

[f0dder]

Viruses are well tested before their release - all the time! Do we see viruses crippled due to internal bugs?

It's happened more than once. The old DOS virus "whale" was pretty bugged (because it was complex), and it's not the only one. Some worms have been much less effective than they could be, because of coding bugs.

IMO, 'heuristic detection' shall always remain a joke if virus makers test their work against a/v products, and of course they do - you don't often see your a/v product pops up a message box that says "unknown virus/malware - cleaned", do you?

No, but I've 'often' seen a popup saying "this file is suspicious, access blocked". And good old TBAV for DOS was sometimes able to disinfect unknown viruses.