Does free antivirus offer a false feeling of security?

Earlier this month, Symantec’s product manager David Hall dismissed free security software as equal alternative to the paid versions, and also described  Microsoft’s free “Microsoft Security Essentials” as “a stripped down version of the OneCare product Microsoft pulled from retail shelves“.

Needless to  say that such statements from a competing vendor often come as a direct frontal attack against the alternative solution, however, they also fuel the debate on whether or not free antivirus offers a false feeling of security.

The answer? Let the data, and a bit of a common sense speak for itself.

Antivirus software is not the solution, antivirus software is part of the (defense in-depth) solution

Consider the results from the latest Anti-Virus comparative review for May 2009 against new malware, indicating that Microsoft’s OneCare achieved an Advanced+ rating (60% detection), putting it on the second position, with Symantec achieving a mere 35% detection rate — ironically a huge percentage of AV-Comparative’s visitors are running free antivirus software according to their voting poll.

Moreover, similar results can be seen in Virus Bulletin’s comparative review for April, 2009 (subscribers only), where OneCare once again outperforms Symantec.

Does this mean that free antivirus is in fact outperforming commercial applications? Given the dynamic nature of today’s threats, what’s true for a particular moment in time can become totally irrelevant at a future date. For instance, some real-time time statistics on antivirus rankings have the potential to offer an entirely different comparative view — free antivirus scanners again rank pretty well — which shouldn’t be considered as the primary benchmark when attempting to answer whether or not free antivirus offers a false feeling of security.

Both, commercial and free stand-alone antivirus scanners suffer from a similar weakness - they’re over-positioned in the mind of the average Internet user. This over-positioning results in higher expectations which on the other hand results in lack of security awareness on what an antivirus scanner can, and cannot protect against (Secunia: popular security suites failing to block exploits).

Cybercriminals have been tricking signature based scanning engines for years, and their quality assurance practices are becoming even more professional and automated through the user of underground versions of popular community services such as VirusTotal, or by using multiple offline virus scanning engines before a campaign is launched. Similar services attempting to verify whether or not their malware sample will bypass popular personal firewalls are also known to be available on demand.

Therefore, fighting the battle on the signature scanning front isn’t exactly the wisest choice. This is where the stand-alone antivirus, a free or commercial version of it, becomes part of the defense in-depth solution.

Through a combination of a fully patched operating system running the latest versions of the software installed (Secunia: Average insecure program per PC rate remains high), least privilege accounts (Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts) and a well-configured personal firewall (Matousec’s Proactive Security Challenge), a huge percentage of the malware pushed through client-side exploits may in fact never reach the antivirus scanner.

That’s of course only if you exclude the fact that “there’s no patch for human stupidity” in the sense that social engineering in the form of fake codecs/videos and poisoned search results continue tricking users into on purposely disabling the security solutions that they had at the first place.