The sorry state of antivirus software

The sorry state of antivirus software

Summary: I've lost count of the number of times I've come across an 'expert' telling some poor soul who's had their PC trashed by malware that it was all their fault and that the problem could have been easily prevented by installing an antivirus package, and keeping that package up-to-date.If only life were that simple ...

SHARE:
TOPICS: Software, Security
64

I've lost count of the number of times I've come across an 'expert' telling some poor soul who's had their PC trashed by malware that it was all their fault and that the problem could have been easily prevented by installing an antivirus package, and keeping that package up-to-date.

If only life were that simple ...

My blogging buddy Ed Bott recently discovered a few malicious files lurking on his system despite having antivirus installed. Now Ed's a clever guy, so if he can have nasties lurking on his system, that should act as a warning to us all.

Note: Let's not turn this debate into a Windows vs. Mac vs Linux argument. I'm talking here specifically about security of the Windows platform.

Now, I don't have any specifics on Ed's setup, but I think that his story serves to demonstrate the sorry state of antivirus software. Let's break it down:

I’ve had Microsoft Security Essentials (MSE) installed on my main working PC for most of the past year. Mostly, I use it for real-time protection. I typically disable the scheduled virus scans on my PCs and instead occasionally do a manual scan just to confirm that nothing out of the ordinary has snuck through. Last month I decided to perform a scan using the Full option. Because I have 2.5 terabytes of hard disk space, with roughly 40% of it in use, I knew the scan would take a long time. So I scheduled it to run while I was out running errands.

[poll id="575"]

First problem - scheduled virus scans take too long and hammer the system too heavily. Most antivirus solutions are designed with a "megabyte" mindset while many of us live in a "gigabyte" or even "terabyte" world. Part of the problem here is thinking of a system scan as a discrete thing that you run daily, weekly, monthly or whatever. This seems counter-intuitive to me and a better solution would be to have scanning done piecemeal during "screensaver" time. Priority could be given to certain file types but the goal would be to sweep the entire system on a regular basis.

I'll come back to why this is important later.

But is relying on one antivirus solution good enough? No, it isn't.

Only 17 of 43 antivirus products detected this as a threat. The full results page showed the identification, if any, for each product on the list. Microsoft, Symantec, Avast, and F-Secure were among the engines that flagged the file. But the majority didn’t.

Now, you can run multiple antivirus solutions on a system, but it's not recommended because you can run into all sorts of issues. Antivirus software embeds itself pretty deep into a system, so you can end up with two programs fighting it out. Another problem is the system resources consumed by multiple security applications.

So what's the solution? Well, we live in hard times and I'm pretty cheap, but what I'd like to see is a situation where the antivirus signatures are separate to the application itself so I could run a generic scanner and choose to subscribe to multiple signature services (a bit like how Virustotal.com works, only real-time). This way I could pick and choose the signatures used to scan my system. I like this idea of greater redundancy for two reasons:

  • First, greater protection. Effectively I'd have more eyes looking at my files for nasties.
  • Secondly, greater redundancy. Having multiple signatures scanning files would lower the risk of false-positives, or at least give me the option of investigating files that are picked up by only one set of signatures further.

[poll id="576"]

Let me go back to my first point again, and the need for regular system scans of ALL files. Let's examine the chronology of Ed's story:

I’ve had Microsoft Security Essentials (MSE) installed on my main working PC for most of the past year.

...

... occasionally do a manual scan just to confirm that nothing out of the ordinary has snuck through.

...

Last month I decided to perform a scan using the Full option.

...

According to the scan results, this threat was first identified in definition 1.85.1774.0, which was released by Microsoft on July 9, 2010.

So, unless I'm missing something, Ed has had MSE installed on the system for "most of the past year." He admits to running occasional scans, and since the threat identified was added to MSE on July 9, 2010, I assume that Ed must have acquired this nasty before this date and has not run a full scan since. Moral of the story - just because something gets past your antivirus scanner today, don't assume that it's clean.

Now, given the information that Ed has supplied, it's pretty clear that his system was immune to the malware on his system because, being a smart guy, Ed updates his system. But it goes to show how malware can creep onto a system and lurk despite having security software installed.

Bottom line, antivirus software as a whole is in a sorry state and it's failing to provide even experienced customers with the sort of security they need (and deserve). The widespread availability of free antivirus software might help reinvigorate the security industry and make them rethink how security should be done, rather than put more effort into generating hype.

Topics: Software, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

64 comments
Log in or register to join the discussion
  • Simpler to use a good OS

    That at this point doesn't require the use of an AV package.

    2 such examples are Mac OS X and Linux.
    itguy08
    • RE: The sorry state of antivirus software

      @itguy08 This response is such total BS and a huge oversimplification of the problem. No OS is perfect, everything can be targeted by malware.
      jefferyd3810
      • RE: The sorry state of antivirus software

        @jefferyd3810

        That's why I qualified it with "AT THIS POINT".

        It may change in the future.
        itguy08
      • RE: This response is such total BS...

        @jefferyd3810

        NO, he make a valid point.

        I used to be a Windows (l)user. But I grew tired of all of the A/V scans killing the performance of my machine, and tying it up for close to 2 hours to perform a full scan on over 500,000 files. Let alone the fact that the machine slowly, over time `lost its edge`. Some may attribute that to `Windows rot`.

        I experimented with Ubuntu 3 years ago, and after about 9 months of dual booting, decided to walk away from Windows. The same old hardware, that was running as slow as molasses in a Vermont winter, had sprung back to life.

        My experience with Ubuntu has shown me that (IMHO) Windows is something to be avoided.

        The last point I must make, is that with Ubuntu (and Linux in general) IF you get `pwned`, most likely, the damage will be done to your home folder. Can you say that for Windows?
        fatman65535
      • @fatty: Simple answer

        [i]IF you get 'pwned', most likely, the damage will be done to your home folder. Can you say that for Windows?[/i]

        Yes. Even better, if it is Internet Explorer that gets 'pwned', no damage will be done to anything. Thanks Protected Mode (enabled by default)!
        NonZealot
    • Did you not read the blog?

      @itguy08

      This isn't about Apple or Linux. And your point is moot, as Apple and Linux users still need to pay attention to security as been proved over and over again. Go troll elsewhere.
      The one and only, Cylon Centurion
      • RE: The sorry state of antivirus software

        @Cylon Centurion 0005

        AT THIS MOMENT There is no need to run AV software on Linux or OS X. That is evidenced by the low # of malware for these platforms. Being villigent and smart about what you install is key on those platforms. It's not the same on Windows.

        I've been an OS X user since 2002 and never ran an AV program and have no need to. Never been infected. How many Windows users can say the same?

        Again, it's [b] AT THIS POINT IN TIME[/b].
        itguy08
      • RE: ...Apple and Linux users still need to pay attention to security ...

        @Cylon Centurion 0005

        NO doubt there. Any user that thinks of a computer as nothing more than an appliance, deserves what they get.

        BUT, you miss the point. Last week, one of the office workers at my doctor's office gave me a call. It appears that she, using IE7 on Windows XP browsed to a site in Asia (she is from that part of the world), and had this nasty called `Thinkpoint` stuffed onto her system with out ANY interaction. It would NOT let her access the internet, or shut down the computer. I told her to manually power it off. The next morning, when I got there, she had already done some Googling for `Thinkpoint`, and we had some idea of what we were dealing with. Fortunately, removing it was not that difficult.

        The point I am trying to make is this:

        The design of Windows that allows any program coming in from the internet to break out of the browser, and install itself is a security risk. In Linux, that is not possible. As much as I would like to get rid of their having to use `Administrator privileges`, one app will not run as a limited user, and that is a deal breaker for them.
        fatman65535
      • Nothing to do with the design of Windows

        [i]The design of Windows that allows any program coming in from the internet to break out of the browser, and install itself is a security risk.[/i]

        That hasn't been the [b]design[/b] of Windows since Windows ME 10 years ago. XP was [b]configured[/b] poorly by default but the [b]design[/b], as you yourself admit in your post, allows you to reconfigure Windows using less privileged accounts. If you run with a less privileged account, programs from the Internet cannot "break out" of your browser and install themselves.

        As of Vista and Windows 7, the default configuration of the browser and the user account is even better than it is in Linux because in Linux, programs can break out of the browser and delete all contents of your /home directory. In Vista and Windows 7, that is not possible.

        [i]In Linux, that is not possible.[/i]

        Sure it is. It is all in the configuration. Log in as root, start browsing the Internet, and nothing prevents malware from "breaking out" of the browser and installing a rootkit. Hmmm. [b]root[/b]kit. I wonder where they got that name from? :)

        Only stupid people mix up the design of a system with the configuration of a system.

        [i]one app will not run as a limited user[/i]

        That is a problem with the design of that app and not of the OS. Oh, and if you knew anything about Windows (and you obviously don't), you can create a shortcut that will run that one app as an administrator. Right click on the shortcut, click Advanced, and check "Run with different credentials". Are you beginning to understand the difference between Configuration and Design? I hope so, for the sake of your poor Windows customers. If you [b]really[/b] want to help them though, tell them to find someone more qualified to help them out. :)
        NonZealot
    • Yawn..

      @itguy08

      I could see switching to Mac...maybe...but right now Windows is the best option for home use. I can run the widest array of software, I like Media Center, and Win7 is very stable so the tradeoff isnt worth it.

      I havent been hit by a virus since XPsp2 so Im in no rush to ditch windows.
      otaddy
      • How would you know?

        "I havent been hit by a virus since XPsp2 so Im in no rush to ditch windows."

        You missed the part about the failure to detect.

        Part of the problem is the signature method used by antivirus software. Needs to reach certain level of popularity before it's detected.

        Solution has always been mounting user file systems as non-executable. Admins control all executables in a managed environment. Easy on unix.
        Richard Flude
      • RE: The sorry state of antivirus software

        @otaddy

        Actually the Mac can run the widest array of software:
        Mac software
        Linux Software
        Windows software.
        itguy08
      • @Dick Flude: Also easy on Windows

        [i]Admins control all executables in a managed environment. Easy on unix.[/i]

        Also easy on Windows. Of course, I wouldn't expect someone like you who knows nothing about Windows to know this. :)
        NonZealot
    • RE: The sorry state of antivirus software

      @itguy08 Actually, at this point, you DO need to run AV for Mac and Linux/Unix. Virus/Malware authors are increasingly targeting applications (Adobe Flash, Java, etc.) and "drive-by" downloading and social engineering attacks. This means that they are becomming platform independent.

      Check Sophos, they have some good, easy to watch videos that explain the need.

      http://www.sophos.com/products/free-tools/free-mac-anti-virus/features.html

      And, yes, they have Linux/Unix antivirus too:

      http://www.sophos.com/products/enterprise/endpoint/security-and-control/linux/

      Face it, you need it. Security through obscurity is not an option. Virus makers want exposure, the more they can infect the better, and in that past that meant targeting the most used OS. PCs (Windows) are targeted mainly because they have the vast majority of the market share. But the virus makers have figured out that you can infect more machines by targeting security vulnerabilities in platform independent applications. The time IS now, it is "at this point".
      JPatrickF
      • RE: The sorry state of antivirus software

        @JPatrickF <br><br>Funny, a company selling AV software telling me I need to buy AV software...... Conflict of Interest much? If they told you that you didn't need it they would go out of business. So it's easier to make stuff up to get you to buy into the notion you must have AV software all the time.<br><br>Again, there are so few cross platform viruses in the wild you can safely ignore them if you are not on Windows.<br><br>The threats for Linux and Mac users are pretty small at this time and something that many users can combat against without software.<br><br>Get out of the thinking you need this stuff. For now you only need AV on Windows.<br><br>Look at it this way. I can buy Bob's car that can easily be broken into with a pebble and easily hotwired with a paperclip. Or I can buy Joe's car that can only be broken into with a cinder block and can be hotwired only with a 500 ft spool of wire. Which would you buy? Sure both can be broken into and hotwired but you have a better chance of not having your car stolen with Joe's car. Bob = Windows, Joe = OS X and Linux.
        itguy08
      • Don't forget the Baby OS's

        @JPatrickF
        You forgot to mention how temping a target those iPhones and Android phones are becoming for hackers. Some of the Malware that will target them will also target their bigger siblings. They are basically cut down version of both the Mac OS and the Linux OS!
        NZJester
    • Problems reading???

      @itguy08

      Huh. Dude! What part of the following did you not understand:

      Note: Let?s not turn this debate into a Windows vs. Mac vs Linux argument. I?m talking here specifically about security of the Windows platform.

      Jerk!
      Coogol
      • amazing how many missed that

        @Coogol I saw that too. I use Linux for my main system but also dual boot Windows on an older system and have it as a Virtual Box machine on my newest system. Both have AVG Free edition, though the VBox can be restored via snapshot. I just reinstalled Linux. Forgot to install clam. Thanks for reminding me.

        Paul
        pfyearwood
    • RE: The sorry state of antivirus software

      @itguy08 Well then please explain to me why they make an antivirus for Macs? Norton has had a Mac product for years - I in fact ran it when I had my old PPC mac running OS 7 - OS 9.

      As for Linux... no thanks, tried it, didn't like it, got very little support but a lot of jackasses on the Linux forums so why bother dealing with it?

      Besides you obviously didn't read the part of the article that said:[b] Note: Let?s not turn this debate into a Windows vs. Mac vs Linux argument. I?m talking here [i]specifically about security of the Windows platform[/i]. [/b] Emphasis added.
      athynz
    • RE: The sorry state of antivirus software

      @itguy08 So the writer says to not turn it into a Mac vs Linux vs Windows debate and you reply with the first comment turning it into just that. Yea your a failure. And there are viruses on both of those platforms, which you can get in the same method as you can on windows, downloading, installing and okaying them.
      Jimster480