Does free antivirus offer a false feeling of security?

Does free antivirus offer a false feeling of security?

Summary: Earlier this month, Symantec's product manager David Hall dismissed free security software as equal alternative to the paid versions, and also described  Microsoft's free "Microsoft Security Essentials" as "a stripped down version of the OneCare product Microsoft pulled from retail shelves".

SHARE:
TOPICS: Security
57

Earlier this month, Symantec's product manager David Hall dismissed free security software as equal alternative to the paid versions, and also described  Microsoft's free "Microsoft Security Essentials" as "a stripped down version of the OneCare product Microsoft pulled from retail shelves".

Needless to  say that such statements from a competing vendor often come as a direct frontal attack against the alternative solution, however, they also fuel the debate on whether or not free antivirus offers a false feeling of security.

The answer? Let the data, and a bit of a common sense speak for itself.

Antivirus software is not the solution, antivirus software is part of the (defense in-depth) solution

Consider the results from the latest Anti-Virus comparative review for May 2009 against new malware, indicating that Microsoft's OneCare achieved an Advanced+ rating (60% detection), putting it on the second position, with Symantec achieving a mere 35% detection rate -- ironically a huge percentage of AV-Comparative's visitors are running free antivirus software according to their voting poll.

Moreover, similar results can be seen in Virus Bulletin's comparative review for April, 2009 (subscribers only), where OneCare once again outperforms Symantec.

Does this mean that free antivirus is in fact outperforming commercial applications? Given the dynamic nature of today's threats, what's true for a particular moment in time can become totally irrelevant at a future date. For instance, some real-time time statistics on antivirus rankings have the potential to offer an entirely different comparative view -- free antivirus scanners again rank pretty well -- which shouldn't be considered as the primary benchmark when attempting to answer whether or not free antivirus offers a false feeling of security.

Both, commercial and free stand-alone antivirus scanners suffer from a similar weakness - they're over-positioned in the mind of the average Internet user. This over-positioning results in higher expectations which on the other hand results in lack of security awareness on what an antivirus scanner can, and cannot protect against (Secunia: popular security suites failing to block exploits).

Cybercriminals have been tricking signature based scanning engines for years, and their quality assurance practices are becoming even more professional and automated through the user of underground versions of popular community services such as VirusTotal, or by using multiple offline virus scanning engines before a campaign is launched. Similar services attempting to verify whether or not their malware sample will bypass popular personal firewalls are also known to be available on demand.

Therefore, fighting the battle on the signature scanning front isn't exactly the wisest choice. This is where the stand-alone antivirus, a free or commercial version of it, becomes part of the defense in-depth solution.

Through a combination of a fully patched operating system running the latest versions of the software installed (Secunia: Average insecure program per PC rate remains high), least privilege accounts (Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts) and a well-configured personal firewall (Matousec's Proactive Security Challenge), a huge percentage of the malware pushed through client-side exploits may in fact never reach the antivirus scanner.

That's of course only if you exclude the fact that "there's no patch for human stupidity" in the sense that social engineering in the form of fake codecs/videos and poisoned search results continue tricking users into on purposely disabling the security solutions that they had at the first place.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

57 comments
Log in or register to join the discussion
  • No it does not...

    "Does free antivirus offer a false feeling of security?" No it does not, not anymore then commercial does. The real question is does all antivirus software offer a false feeling of security? I am undecided but leaning towards Yes in some cases.

    "Earlier this month, Symantec?s product manager David Hall dismissed free security software as equal alternative to the paid versions, and also described Microsoft?s free ?Microsoft Security Essentials? as ?a stripped down version of the OneCare product Microsoft pulled from retail shelves?. This is funny coming from Symantec, while I love and use their End Point protection I think their comsumer antivirus programs are incredibly heavy and piggish with the computers resources. Atleast they were I havent used their consumer antiviruses in a couple of years.

    "That?s of course only if you exclude the fact that ?there?s no patch for human stupidity? in the sense that social engineering in the form of fake codecs/videos and poisoned search results continue tricking users into on purposely disabling the security solutions that they had at the first place." Thats the Gods honest truth right there. I always say the computer is only as smart as its user, if the user says its ok to download fake codecs and disables the computers antivirus then that is what the computer does, it afterall is just following instructions.


    NoThomas
    • No it does not...

      Good points. I use the latest Norton Internet Security - it's easier on the resources, at least with a dual core.

      The biggest problems I see are:
      A. Failure to keep security software updated
      B. Careless surfing
      C. Actually opening messages and clicking links in the SPAM folder (duh!)

      A little common sense goes a long way.

      neverhome
      • I've even been able to run...

        NIS 2010 on single core PCs! As long as it is a P4 with at least 1Gb of RAM, everything seems to run swimmingly.

        The newer version 2008,9,10 seem to actually catch and/or prevent viruses, unlike it's predecessors.
        JCitizen
  • ALL AV offers a false sense of security

    Signature-based AV products are ineffective these days. All you need to do to see this in action is do a search on VirusTotal.com and check the detection rates for specific malware. VirusTotal.com takes malware and runs it by the top 38 AV products, and then publishes the results as to which AV products detected it as malware and which didn't. When only 2 or 3 AV products out of 38 are detecting malware threats, and no AV product is consistently on the 'detected' side of those stats, you know you're in trouble.

    Should you still run AV? Absolutely - it's better than having nothing (in most cases). Are you safe with just an AV product in place? Absolutely not. You need many different security pieces in place to address this; security in depth, as many have been preaching, is a must.
    ejhonda
    • Most definitely...

      Many would do well to heed your advice!!
      JCitizen
  • That list looks familiar.

    [i]Through a combination of a fully patched operating system running the latest versions of the software installed (Secunia: Average insecure program per PC rate remains high), least privilege accounts (Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts) and a well-configured personal firewall (Matousec?s Proactive Security Challenge), a huge percentage of the malware pushed through client-side exploits may in fact never reach the antivirus scanner.[/i]

    It's the same list I've posted on these talkbacks for quite some time.
    ye
  • RE: Does free antivirus offer a false feeling of security?

    This David Hall guy, all he is doing is trying to sell product. Why does he care about the user and their security. Ive heard his blabber before.
    GameOvR
  • Remember this comes from Symantec...

    The company that led the fray to have Microsoft undo 64-bit Kernel PatchGuard in Vista SP1 - just so they could dig their own teeth deeper into Windows, while allowing others to do the same.
    Joe_Raby
    • That really chaps my...

      butt too!! Now, how is anyone going to be able to say Microsoft did it right, when every crime cracker is going to be looking for the same back door!
      JCitizen
  • RE: Does free antivirus offer a false feeling of security?

    It doesn't for me. Even with a scanner installed, and a firewall up and running, I'm still paranoid about what I will allow on my system.

    And Symantec's rant is just sour grapes. They lost the battle years ago to be the top dog in AV software, and now they can't catch up..or don't want to. They'd rather whine about the 'good ol' days'.
    tealcat
    • To Who(m)?

      Just wondering - exactly who did Symantec lose this battle to? I'm no Symantec fan, at all - I use it a work, but use different tools at home - but who is bigger?
      vermonter
  • RE: Does free antivirus offer a false feeling of security?

    Relying on one method to prevent your system from being infected is not recommended. Anti-virus of any type (paid, open source or free) should be coupled with firewall, and other security measures to prevent your system from being compromised.
    However, Microsoft OneCare is not a total solution for anti-virus since I read the reviews and done my limited test that it didn't catch as many virus/malware as other programs.
    phatkat
    • You should read recent reviews

      May 2009, AV Comparatives scored it 2nd place in detections, with the lowest number of false positives.

      The previous favourite, NOD32 has been steadily dropping. AVG is the worst of the free AV softwares, with Avast close, and Antivir further ahead. Norton scored better than McAfee but was middle of the road.

      Kaspersky was up there, but the number of false positives was high.

      Overall, I'd say that the median score for OneCare puts it "first". OneCare's engine and definitions are the same as Forefront Client Security and Microsoft Security Essentials. Defender is practically the same, but omits the antivirus definitions.
      Joe_Raby
      • OneCare helped topple resource hungry, expensive AV

        Until OneCare, AV was expensive and rampantly taking over computer resources, to the point of almost being worse than what it was supposedly defending us against.

        OneCare offered an integrated package for multiple computers at half the price of one of the then current AV products.

        Basically, MS told them, 'you're crippling the computers and charging too much for the priviledge'. Until OneCare changed the playing field, it was expensive for a family to 'protect' all their computers.
        Patanjali
        • Agreed

          Now Windows Vista (and Windows 7) includes 95% of what OneCare is/was offering. Windows Vista just has the stuff in disjointed places (Backup & Restore Center, Auto-defrag is already setup, Disk Cleanup needs to be scheduled, etc.).

          Windows 7's Action Center is basically OneCare again, but integrated into the OS. A user only needs to choose a decent anti-malware engine to run alongside it as the other security and non-security PC health features are already there. I recommend Microsoft Security Essentials, since it has the same engine as OneCare, and that scanning engine scored nearly top of the list on May's AV-Comparatives review. Nobody needs a full security suite anymore because Windows already has a two-way firewall (it's had one since Windows XP SP2), and parental controls are built into the OS. Every email program has a spam filter now too, even webmail.

          So if you take a program like Norton 360 and break it down into its sub-components, the only thing you need out of it is the antimalware engine.

          The question is, why would anybody pay $90+/yr for a "complete" security suite like Norton 360 when Windows includes everything except for the antimalware engine, and Microsoft has a better (read: rated better, not just my opinion) antimalware engine for free?

          Symantec and the rest of the security market are just committing to fraudulent scare tactics to get people to pay for something they don't need to. They need to change their business model and cater primarily to business security management. They've lost the consumer game.
          Joe_Raby
          • Very true!....

            The bloated suites tangled up the CPU so much that light weight malware was able to take over or obfuscate it's presence.

            Freeware is mostly the opposite, with lightning fast reflexes and some free AV even have superior hueristics. The list of really affective ones is really only about 20 in number though. A good read on CNET's user ratings, pretty well sums up what is going to work, and what isn't.

            I must admit NIS 2009 works pretty well even though it still has a huge RAM presense. I can't attest how well it works on 32 bit systems though. As soon as mine expires, I'm probably going back to NOD32 or perhaps even the paid edition of AVAST.
            JCitizen
  • I run a computer service shop, and...

    ...we drop Avast on ALL computers that come in, while simultaneously telling every single customer that it will do nothing to prevent them from brand new threats...and neither will anything else on the market today! Quoting myself, "viruses are a cat-and-mouse game, and antivirus vendors are always the cat doing the chasing." Software firewalls are also junk, because any virus that does take root can easily bypass such a program. In reality, the only two things that are needed to keep a secure network are (A) a hardware firewall between you and the Internet and (B) well-educated, cautious, skeptical users. Education seems to fly out the window when an erection or free music is involved, which is why 90% of what we see is porn seekers downloading whatever they think will be porn (and obviously wasn't) and teens who grab LimeWire and proceed to download every virus known to man in the process. Computers and their software stopped being the weakest link over a decade ago. The most commonly exploited security hole on a computer is the device which sits between the keyboard and the chair, not the IP stack or WMF rendering libraries.
    cryptikonline
    • Infected MP3's

      I see the same thing in MP3's on Limewire all the time.

      The most common virus is an ASF script in an MP3 ID3 tag that goes my the name "Troj/WiMad". Microsoft's AV software picks it up. So does Norton. AVG doesn't. Avast doesn't either.
      Joe_Raby
    • More than 20 to 30,000 legitimate web sites...

      are infected now and growing. I and my clients catch more drive by attempts of legitimate web sites than any that I used to do on my porno virus honeypot in the lab.

      I no longer bother to surf porno for virus/malware action as it is the shopping and regular sights that are the truly dangerous threats now.

      I've been able to keep up with it using (as you say) a good hardware firewall and a good software utility in depth defense. All you have to do is go by the high user ratings on CNET and use utilities that have varied technology in their real time protections to avoid conflicts, and you can pretty well thwart, most if not all attacks.

      Keeping applications up to date is paramount, even if you operate as a restricted user.
      JCitizen
    • On Firewalls

      Even a hardware fire wall won't help you if you get infected from something you download and run. Most consumer firewall allow any outgoing connections and block any incoming connections. While this is good for automated attacks that are incoming it does no good if you run the malware yourself. So software or hardware firewall both fail when malware gets triggered internally on your network.

      Now if you take the time to configure a hardware firewall to block all outgoing connections then allow only specific connection that outgoing to known IP addresses that makes you a lot more secure. So if you only allow HTTP and HTTPS out going to a ISP provided proxy server for web surfing when that malware scripting on the website tried dowload the payload of the malware from another site over port 80 because it assumes it will be allowed it can't and you don't get infected. You might trigger AV software but nothing is going to happen as you stopped the malware in it's tracks. Do the same thing for your SMTP and POP connections. Still this only reduces the chances of getting an infection because there is proxy aware malware but it's very rare and you really don't see it used for automated attacks on infected websites.
      voska1