Microsoft vs. McAfee: How free antivirus outperformed paid

Microsoft vs. McAfee: How free antivirus outperformed paid

Summary: How effective is free antivirus software? I had a chance to see a real, in-the-wild example just this month, and the results were, to put it mildly, unexpected. Microsoft's free antivirus solution found and removed a threat that two well-known paid products missed.

SHARE:
TOPICS: Security, Microsoft
241

How effective is free antivirus software? I had a chance to see a real, in-the-wild example just this month, and the results were, to put it mildly, unexpected. The bottom line? Microsoft's free antivirus solution found and removed a threat that two well-known paid products missed. Here are the details. [Update: After I publlished this post, a second example appeared, courtesy of a rogue commenter in the Talkback section. See the results at the end of this post.]

I've had Microsoft Security Essentials (MSE) installed on my main working PC for most of the past year. Mostly, I use it for real-time protection. I typically disable the scheduled virus scans on my PCs and instead occasionally do a manual scan just to confirm that nothing out of the ordinary has snuck through. Last month I decided to perform a scan using the Full option. Because I have 2.5 terabytes of hard disk space, with roughly 40% of it in use, I knew the scan would take a long time. So I scheduled it to run while I was out running errands.

When I came back, here's a snippet of what I found:

MSE had detected several files files that it considered malicious. One was a rigged PDF file (not shown here). The other was a single file in the Java cache folder on this system that contained three separate exploits. Using the information in the MSE history pane, I found the file and uploaded it to Virustotal.com, which is a free service that allows you to scan a suspicious file using 43 separate antivirus engines. The file, identified by a unique hash, had already been analyzed, so I got the results immediately:

Only 17 of 43 antivirus products detected this as a threat. The full results page showed the identification, if any, for each product on the list. Microsoft, Symantec, Avast, and F-Secure were among the engines that flagged the file. But the majority didn't. That means one of two things. Either the file was a false positive, and I was about to delete something harmless and perhaps even necessary. Or it was real, and most AV programs were missing it.

To get to the bottom of the issue, I sent e-mail messages to contacts at three companies. I asked Microsoft to reanalyze the file and confirm that it was indeed malicious. I also asked McAfee and Sunbelt to look at the file; both of them had reported the file as clean, according to VirusTotal.

Microsoft had two analysts review the file. Here's a portion of their response:

We have confirmed that the threat detection you received from Microsoft Security Essentials is indeed valid. There were more than 3.5 million reported CVE-2008-5353 attacks in Q3 2010, and Java vulnerability exploitations like these, while once a rare occurrence, have spiked this year. … [T]his exact file is something we have seen in the wild more than 40,000 times in the past six months.

This October 18 post by Holly Stewart on the Microsoft Malware Protection Center blog provides useful additional detail on why these types of attacks can be challenging for IDS/IPS vendors, as well as the steps customers should take to ensure that they are protected.

According to the scan results, this threat was first identified in definition 1.85.1774.0, which was released by Microsoft on July 9, 2010.

McAfee responded quickly to my e-mail as well. A spokesperson sent this reply:

Our Labs team took a look at the file you referenced and it is malicious. We are in the process of developing new heuristics to combat the effects from a stream of recent malicious JAR files more proactively, the file corresponding with the hash you mentioned is in the queue.

Sunbelt's Malware Response Manager, Dodi Glenn, reported that this file was in the company's repository and submitted it for detailed analysis. Here are the results:

This file contains a malicious java.class … that exploits the CVE-2008-5353 vulnerability. … We are currently testing our updated detection for this exploit and expect to release it shortly.

The good news is that my system wasn't compromised in any way. The exploit in question was blocked by a Java update that I had installed last year. Likewise, the booby-trapped PDF file (which all of the antivirus programs detected) relied on the user having a very outdated version of Adobe Reader installed, and mine was fully up-to-date.

Last week, when I wrote about Microsoft's decision to expand its distribution of Microsoft Security Essentials via Microsoft Update, McAfee complained that free software simply isn't as good as its paid protection. Here's what a spokesperson told me:

McAfee wants consumers to be safe online. Options that provide an elementary level of security are free products including Microsoft Security Essentials, however these mostly rely on traditional protection mechanisms.  McAfee products offer not only more features but most importantly, McAfee products offer real-time protection using cloud-based Global Threat Intelligence to combat even the most sophisticated threats thus ensuring complete protection and peace of mind.

In this case, at least, that protection wasn't as complete as the free Microsoft product it was comparing itself to.

As an aside, it's worth noting that criticizing Microsoft Security Essentials because it's free misses an important point. MSE uses the same scanning engine and definitions as its enterprise-grade Forefront product, which is most assuredly not free.

One certainly shouldn't draw definitive conclusions from a single anecdotal example, but as this case shows, the gap between antivirus products isn't as simple as free versus paid, and even the best and brightest researchers can miss a threat.

Update 15-Nov 7:00AM PST: Another real world example just dropped into my lap. A commenter in the Talkback section of this thread posted a link to a news website claiming to offer a video of the full Sunbelt report. (The malicious comment and link were deleted almost immediately.) Visiting that page (which is hosted on a legitimate website that has clearly been compromised) displayed a video window with the message "Sorry, this video cannot be played. Problem: plugin is not found." It then helpfully included a "Download plugin" link. Here's what the browser displayed:

Of course, this is one of the oldest tricks in the malware book. The link leads to an executable file, which I downloaded (but did not execute) on a system that was not running any antivirus software and submitted to Virustotal.com. The result? 15/43 scanning engines detected it as malware. Microsoft Security Essentials was one of them. It identified the file as TrojanDownloader:Win32/Waledac.C, which was originally included in definition file 1.63.2017.0, released on August 27, 2009. The McAfee Gateway edition identified it as a suspicious file (and thus would have blocked it). McAfee's consumer product line did not detect the threat at all.

To its credit, Sunbelt successfully identified this threat. On the list of companies that missed it? Symantec, Avast, and TrendMicro.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

241 comments
Log in or register to join the discussion
  • have a client running sav endpoint 11

    whenever one of their workstations tried to access their as400, it would fail. figured it was a virus, so i downloaded and installed mse.

    found the alureon virus and the as400 access was restored. they tried scanning, i don't know how many times with sav, to no avail.
    and i've seen this scenario more than once.
    g_keramidas@...
    • RE: Microsoft vs. McAfee: How free antivirus outperformed paid

      @g_keramidas@... Just one problem:

      ALL A/V solutions (including MSE) will miss an alarming amount of malware. Ed Bott sort of missed mentioning that part, which is rather dangerous considering that folks may just stick with (or switch to) MSE, thinking they'll be safe as houses in doing so.

      I get paid quite well for (among other things) keeping Windows malware at bay... but this article underlines a very solid reason my work laptop runs Linux as its platform, and why I only use Macs at home. Not that either is perfect, but I like the odds better by doing so.
      Random_Walk
      • The antivirus model is flawed

        You need to restrict the users ability to run executables.

        MS doesn't seem to care. Enjoy your malware.
        Richard Flude
      • My Mac had a virus last week

        For someone who claims to be so security consious. You are being a bit careless assuming Linux or especially Mac's are better? I run Sophos Free on my Mac's and to my surprise it finds Malware. I think anyone who is intelligent in security would never assume any platform to be safe.
        jscott418-22447200638980614791982928182376
      • RE: Microsoft vs. McAfee: How free antivirus outperformed paid

        @Random_Walk
        me too. So far, the Mac viruses that I have heard about, from people who were crazy happy that Mac had a virus, require you to enter your password to give them permission to run.
        RedVeg
      • RE: Microsoft vs. McAfee: How free antivirus outperformed paid

        @Random_Walk The BlackHat society has shown many times that the Mac and Linux platforms are at much greater odds for getting malicious software than is Windows 7. You like most Mac zealots are stuck on the past with the swiss-cheese of OSes, Windows XP. That's old news. Grow up.
        Narg
      • That capability exits today.

        @Richard Flude: [i]You need to restrict the users ability to run executables.[/i]

        And has for quite some time. Time to join us in the 21st century.

        [i]The antivirus model is flawed[/i]

        This we can agree on. I'm still wondering why people continue to recommend it and ignore other, more proactive and beneficial, recommendations.
        ye
      • Richard Flude, Apple does not seem to care

        Whether your Apple product has malware, otherwise
        they would not imply that their software "can not be infected".

        Logic would prove it is Apple that does not care.
        :|
        Tim Cook
      • RE: Microsoft vs. McAfee: How free antivirus outperformed paid

        @Random_Walk I agree that they all miss stuff, but I've found through experience (by using windows / osx and linux, not isolating myself from the most used OS on the planet)that MSE is one of the better ones. Between MSE and the malwarebytes product, they catch pretty much everything.

        Norton, McAfee, Trend etc are very similar. It's as if they compete with each other on interfaces, and ignore the point. Norton and McAfee top my list for most hated software on the planet, primarily due to the difficulty in removal, and the issues they cause with the remnants they leave behind.

        I also get paid quite well to (amongst other things) keep malware at bay. However, I believe I am more objective about the realities of threats. As you would know (as a highly paid individual), if it is connected, it is at risk (regardless of Linux/ Osx etc). Most infections are caused by ignorance / stupidity, of which I am sure you don't suffer.

        However, if you don't run some form of AV on these products, I can send a tech around to help you with that :)
        stewymelb
      • RE: Microsoft vs. McAfee: How free antivirus outperformed paid

        @Random_Walk
        Question is how long it will take malware writers to move to Linux or Mac platforms once most of the users starts using these platforms for daily tasks.
        babscontact@...
      • Don't tell me what I can't run

        Richard Flude said "You need to restrict the users ability to run executables."

        While Microsoft may do anything it wants to with the computers that it owns, I wouldn't care for them to do any more restricting of what I may run. It's my computer, not theirs, and not yours Richard.

        All the security bimbos have pressured Mircosoft to make computers too unusable in their efforts to appease the security kooks, and security media. There are programs that I have to jump through amazing hoops to run. And programs that I have to tell everytime that they go to run that yes they really are OK to run. And programs that will not run at startup without an amazing amount of effort.

        There has to be a balance between security and usability. The most secure computer would allow no user input at all. We could only watch what was on the screen. But I guess that we already have that and call it a television. I can't think of the last time my tv got a virus, so I guess that if we really want to elimate the problem with viruses we could just remove keyboards and mice from all computers.
        itsme2003
      • RE: Microsoft vs. McAfee: How free antivirus outperformed paid

        @Random_Walk, I agree and run linux for the same reason, but I think the real point of this story was the fact that free AV's are catching things that the paid AV's are missing, and I have to say, McAfee is probably the worst AV to test anything against, I have seen it miss so many virus' in my day its not even funny, I am also a proponent of free software, which is why I usually setup most of my users with Avast.

        @Richard Flude Most malware doesnt come in form of an executable, its usually an active X plugin, or some other form (PDF comes to mind), so your logic is flawed as well.
        nickdangerthirdi@...
    • Linux?

      Another case of Windows of a Windows vulnerability that linux is safe from. Also with linux when it does it's typical updates process it updates ALL programs, codecs, drivers, libraries, adobe stuff and everything. With Windows "updates" almost none of these get updated, you have to update each of those individually. Why risk staying with Windows?
      Regards from
      Tom :)
      Tom6
      • The Linux and Mac crowd take any chance to jump on Windows.

        @Tom6 Hey, Windows 7 is awesome. I have been using it for a year and a half with no problems what-so-ever. My daughter's mac freezes at least three or four times a week and she has to reboot it to get it to work again. Virus scanners find all kinds of nasty stuff on her Mac. MSE finds all kinds of stuff on mine as well, but it stops it. I am very happy with Windows 7. It rocks and would not trade it for anything else, especially the backward, good for nothing, and fragmented Linux desktop.
        samofdetroit
      • RE: Microsoft vs. McAfee: How free antivirus outperformed paid

        @Tom6 ... Because it works for me, which Linux cannot, with its lack of needed drivers.
        twaynesdomain-22354355019875063839220739305988
      • RE: Microsoft vs. McAfee: How free antivirus outperformed paid

        @Tom6

        Just for the sake of joining in the fray on this endless adhoc between Linux and Windows...

        The real question: Why risk staying with Linux? I mean really: using Linux exclusively is like the Patriot Act... After a while, you must realize that you aren't safer...you're just less free.

        Being that you probably don't accomplish much more than web surfing on your Linux-box (oh, yeah, and Open Office Docs), you probably never run into a driver issue where an OLDER driver is more appropriate than a new one. How annoying it would be if that driver you needed kept updating to a new driver because it wanted to...

        Sure, you could probably set it not to update, but isn't that sooo much trouble? Especially considering that you then have to set your download libraries and then double check those to make sure they're adhering to your requests...

        I know your Linux. Well...not Linux--Ubuntu. It was fun...a lot more efficient web-surfing than any other platform. It's just when I want OPTIONS with doing other things, they don't seem provided...and I have to do quite a bit to find what I want...then I have to hope it works...

        I fix machines at work. Fun job, but I don't want to bring it home. When I'm home, I want to EASILY relax and enjoy my family...

        You must have time on your hands that I don't...

        So why intelligently stay with Windows? Because they have experience with threats, have developed for over twenty years, have a user-base that makes it easier to discern between good and not-as-good software, and...it's the only way I can use Microsoft Security Essentials that I have been touting since earlier this year--when I installed Windows 7.

        You can stay in the '60s and '70s with your technology if you want, Tom... But it's the twenty-first century...and command-line isn't cool unless you're FIXING something...
        GSystems
    • RE: Microsoft vs. McAfee: How free antivirus outperformed paid

      Unlike most folks who just point and click, I read the EULA.
      Way too intrusive for me.
      Violate
  • RE: Microsoft vs. McAfee: How free antivirus outperformed paid

    First of all McAfee is crap and so are their product besides SiteAdvisor. They have a partner ship with DELL and other companies that's why so many users are forced to use their products because it comes pre-installed but the fact is Norton Antivirus and Norton Internet security are far more better than their products. As soon as I got this laptop I removed McAfee security center from this laptop and installed Norton Internet Security 2011.
    shellcodes_coder
    • RE: Microsoft vs. McAfee: How free antivirus outperformed paid

      @shellcodes_coder

      Norton is just as bad as McAfee and it is even worse when it comes to bogging down your system and raising the cost of the subscription every year. Neither McAfee or Norton would be in my top 8 programs that I would use for antivirus.

      I used to use MSE in conjunction with Avast but I find MSE is all I need now.
      Mythos7
      • RE: Microsoft vs. McAfee: How free antivirus outperformed paid

        @Mythos7 You might want to update your data on Norton Internet Security.
        MikeR666